{"id":947,"date":"2016-10-11T09:20:18","date_gmt":"2016-10-11T07:20:18","guid":{"rendered":"http:\/\/www.netnea.com\/cms\/?page_id=947"},"modified":"2025-11-07T10:45:17","modified_gmt":"2025-11-07T09:45:17","slug":"apache-tutorial-4_configuring-ssl-tls","status":"publish","type":"page","link":"https:\/\/www.netnea.com\/cms\/apache-tutorial-4_configuring-ssl-tls\/","title":{"rendered":"Enabling Encryption with SSL\/TLS"},"content":{"rendered":"\n<h2 id=\"enabling-encryption-with-ssltls\">Enabling Encryption with SSL\/TLS<\/h2>\n<h3 id=\"what-are-we-doing\">What are we doing?<\/h3>\n<p>We are setting up an Apache web server secured by a server certificate.<\/p>\n<h3 id=\"why-are-we-doing-this\">Why are we doing this?<\/h3>\n<p>The HTTP protocol uses plain text, which can easily be spied on. The HTTPS extension surrounds HTTP traffic in a protective SSL\/TLS layer, preventing snooping and ensuring that we are really talking to the server we entered in the URL. All data is sent encrypted. This still doesn\u2019t mean that the web server is secure, but it is the basis for secure HTTP traffic.<\/p>\n<h3 id=\"requirements\">Requirements<\/h3>\n<ul>\n<li>An Apache web server, ideally one created using the file structure shown in <a href=\"https:\/\/www.netnea.com\/cms\/apache-tutorial-1_compiling-apache\/\">Tutorial 1 (Compiling an Apache web server)<\/a>.<\/li>\n<li>Understanding of the minimal configuration in <a href=\"http:\/\/www.netnea.com\/cms\/apache-tutorial-2_minimal-apache-configuration\">Tutorial 2 (Configuring a minimal Apache server)<\/a>.<\/li>\n<\/ul>\n<p>First, we are going to enable the server to use SSL with a self-signed certificate. Afterwards, I will explain how to get an officially signed certificate. In order to perform this step, you need to control a domain and a webserver, which is being routed and thus accessible from the internet. In this tutorial, I am going to work with the example domain <code>christian-folini.ch<\/code>.<\/p>\n<p>This whole series of tutorials is meant as a guide to a successful lab setup. The idea is to really, really understand Apache. This tutorial is a bit of an exception, as we need to be accessible from the internet in order to get the signed certificate. Later tutorials will return to the lab setup though.<\/p>\n<h3 id=\"step-1-configuring-a-server-using-ssltls-but-without-an-officially-signed-certificate\">Step 1: Configuring a server using SSL\/TLS, but without an officially signed certificate<\/h3>\n<p>The inner working of the <em>SSL-\/TLS<\/em>-protocol is complex. The free <em>OpenSSL Cookbook<\/em> by Ivan Risti\u0107 (see links below) explains this topic. His bigger work <em>Bulletproof SSL and TLS<\/em>, which explains the trust relationships in great detail, is another good introduction. The minimal knowledge required can be found in this tutorial though.<\/p>\n<p>When contacted by a client, an SSL server must use a signed certificate to identify itself. For a successful connection, the client must be familiar with the signing authority, which it does by checking the certificate chain from the server to the root certificate of the signing authority, also called the certificate authority. Officially signed certificates are acquired from a public (or private) provider whose root certificate is one the browser is familiar with.<\/p>\n<p>The configuration of an SSL server therefore comprises of two steps: Obtaining an officially signed certificate and configuring the server. The configuration of the server is the more interesting and easier part, which is why we\u2019ll do that first. In doing so, we\u2019ll be using an unofficial certificate present on our system (at least if it\u2019s from the Debian family and the <em>ssl-cert<\/em> package is installed).<\/p>\n<p>The certificate and related key are located here:<\/p>\n<div class=\"sourceCode\" id=\"cb1\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb1-1\"><a href=\"#cb1-1\" aria-hidden=\"true\"><\/a><span class=\"ex\">\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem<\/span><\/span>\n<span id=\"cb1-2\"><a href=\"#cb1-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">\/etc\/ssl\/private\/ssl-cert-snakeoil.key<\/span><\/span><\/code><\/pre><\/div>\n<p>The names of the files are an indication that this pair is one that shouldn\u2019t inspire confidence. The browser will then put up a warning about the certificate if it\u2019s being used for a server.<\/p>\n<p>But they are perfectly fine for an initial attempt at configuration:<\/p>\n<div class=\"sourceCode\" id=\"cb2\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb2-1\"><a href=\"#cb2-1\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-2\"><a href=\"#cb2-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">ServerName<\/span>              localhost<\/span>\n<span id=\"cb2-3\"><a href=\"#cb2-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">ServerAdmin<\/span>             root@localhost<\/span>\n<span id=\"cb2-4\"><a href=\"#cb2-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">ServerRoot<\/span>              \/apache<\/span>\n<span id=\"cb2-5\"><a href=\"#cb2-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">User<\/span>                    www-data<\/span>\n<span id=\"cb2-6\"><a href=\"#cb2-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">Group<\/span>                   www-data<\/span>\n<span id=\"cb2-7\"><a href=\"#cb2-7\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-8\"><a href=\"#cb2-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">ServerTokens<\/span>            Prod<\/span>\n<span id=\"cb2-9\"><a href=\"#cb2-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">UseCanonicalName<\/span>        On<\/span>\n<span id=\"cb2-10\"><a href=\"#cb2-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">TraceEnable<\/span>             Off<\/span>\n<span id=\"cb2-11\"><a href=\"#cb2-11\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-12\"><a href=\"#cb2-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">Timeout<\/span>                 10<\/span>\n<span id=\"cb2-13\"><a href=\"#cb2-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">MaxRequestWorkers<\/span>       100<\/span>\n<span id=\"cb2-14\"><a href=\"#cb2-14\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-15\"><a href=\"#cb2-15\" aria-hidden=\"true\"><\/a><span class=\"ex\">Listen<\/span>                  127.0.0.1:80<\/span>\n<span id=\"cb2-16\"><a href=\"#cb2-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">Listen<\/span>                  127.0.0.1:443<\/span>\n<span id=\"cb2-17\"><a href=\"#cb2-17\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-18\"><a href=\"#cb2-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">LoadModule<\/span>              mpm_event_module        modules\/mod_mpm_event.so<\/span>\n<span id=\"cb2-19\"><a href=\"#cb2-19\" aria-hidden=\"true\"><\/a><span class=\"ex\">LoadModule<\/span>              unixd_module            modules\/mod_unixd.so<\/span>\n<span id=\"cb2-20\"><a href=\"#cb2-20\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-21\"><a href=\"#cb2-21\" aria-hidden=\"true\"><\/a><span class=\"ex\">LoadModule<\/span>              log_config_module       modules\/mod_log_config.so<\/span>\n<span id=\"cb2-22\"><a href=\"#cb2-22\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-23\"><a href=\"#cb2-23\" aria-hidden=\"true\"><\/a><span class=\"ex\">LoadModule<\/span>              authn_core_module       modules\/mod_authn_core.so<\/span>\n<span id=\"cb2-24\"><a href=\"#cb2-24\" aria-hidden=\"true\"><\/a><span class=\"ex\">LoadModule<\/span>              authz_core_module       modules\/mod_authz_core.so<\/span>\n<span id=\"cb2-25\"><a href=\"#cb2-25\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-26\"><a href=\"#cb2-26\" aria-hidden=\"true\"><\/a><span class=\"ex\">LoadModule<\/span>              ssl_module              modules\/mod_ssl.so<\/span>\n<span id=\"cb2-27\"><a href=\"#cb2-27\" aria-hidden=\"true\"><\/a><span class=\"ex\">LoadModule<\/span>              headers_module          modules\/mod_headers.so<\/span>\n<span id=\"cb2-28\"><a href=\"#cb2-28\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-29\"><a href=\"#cb2-29\" aria-hidden=\"true\"><\/a><span class=\"ex\">ErrorLogFormat<\/span>          <span class=\"st\">&quot;[%{cu}t] [%-m:%-l] %-a %-L %M&quot;<\/span><\/span>\n<span id=\"cb2-30\"><a href=\"#cb2-30\" aria-hidden=\"true\"><\/a><span class=\"ex\">LogFormat<\/span>               <span class=\"st\">&quot;%h %l %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] <\/span><span class=\"dt\">\\&quot;<\/span><span class=\"st\">%r<\/span><span class=\"dt\">\\&quot;<\/span><span class=\"st\"> %&gt;s %b \\<\/span><\/span>\n<span id=\"cb2-31\"><a href=\"#cb2-31\" aria-hidden=\"true\"><\/a><span class=\"dt\">\\&quot;<\/span><span class=\"st\">%{Referer}i<\/span><span class=\"dt\">\\&quot;<\/span><span class=\"st\"> <\/span><span class=\"dt\">\\&quot;<\/span><span class=\"st\">%{User-Agent}i<\/span><span class=\"dt\">\\&quot;<\/span><span class=\"st\">&quot;<\/span> combined<\/span>\n<span id=\"cb2-32\"><a href=\"#cb2-32\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-33\"><a href=\"#cb2-33\" aria-hidden=\"true\"><\/a><span class=\"ex\">LogLevel<\/span>                debug<\/span>\n<span id=\"cb2-34\"><a href=\"#cb2-34\" aria-hidden=\"true\"><\/a><span class=\"ex\">ErrorLog<\/span>                logs\/error.log<\/span>\n<span id=\"cb2-35\"><a href=\"#cb2-35\" aria-hidden=\"true\"><\/a><span class=\"ex\">CustomLog<\/span>               logs\/access.log combined<\/span>\n<span id=\"cb2-36\"><a href=\"#cb2-36\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-37\"><a href=\"#cb2-37\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCertificateKeyFile<\/span>   \/etc\/ssl\/private\/ssl-cert-snakeoil.key<\/span>\n<span id=\"cb2-38\"><a href=\"#cb2-38\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCertificateFile<\/span>      \/etc\/ssl\/certs\/ssl-cert-snakeoil.pem<\/span>\n<span id=\"cb2-39\"><a href=\"#cb2-39\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-40\"><a href=\"#cb2-40\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLProtocol<\/span>             All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1<\/span>\n<span id=\"cb2-41\"><a href=\"#cb2-41\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCipherSuite<\/span>          <span class=\"st\">&#39;kEECDH+ECDSA kEECDH kEDH HIGH +SHA !aNULL !eNULL !LOW !MEDIUM \\<\/span><\/span>\n<span id=\"cb2-42\"><a href=\"#cb2-42\" aria-hidden=\"true\"><\/a><span class=\"st\">!MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4&#39;<\/span><\/span>\n<span id=\"cb2-43\"><a href=\"#cb2-43\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLHonorCipherOrder<\/span>     On<\/span>\n<span id=\"cb2-44\"><a href=\"#cb2-44\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-45\"><a href=\"#cb2-45\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLRandomSeed<\/span>           startup file:\/dev\/urandom 2048<\/span>\n<span id=\"cb2-46\"><a href=\"#cb2-46\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLRandomSeed<\/span>           connect builtin<\/span>\n<span id=\"cb2-47\"><a href=\"#cb2-47\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-48\"><a href=\"#cb2-48\" aria-hidden=\"true\"><\/a><span class=\"ex\">DocumentRoot<\/span>            \/apache\/htdocs<\/span>\n<span id=\"cb2-49\"><a href=\"#cb2-49\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-50\"><a href=\"#cb2-50\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span><span class=\"ex\">Directory<\/span> \/<span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb2-51\"><a href=\"#cb2-51\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-52\"><a href=\"#cb2-52\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Require<\/span> all denied<\/span>\n<span id=\"cb2-53\"><a href=\"#cb2-53\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-54\"><a href=\"#cb2-54\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Options<\/span> SymLinksIfOwnerMatch<\/span>\n<span id=\"cb2-55\"><a href=\"#cb2-55\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-56\"><a href=\"#cb2-56\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span>\/<span class=\"ex\">Directory<\/span><span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb2-57\"><a href=\"#cb2-57\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-58\"><a href=\"#cb2-58\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span><span class=\"ex\">VirtualHost<\/span> 127.0.0.1:<span class=\"op\">80&gt;<\/span><\/span>\n<span id=\"cb2-59\"><a href=\"#cb2-59\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-60\"><a href=\"#cb2-60\" aria-hidden=\"true\"><\/a>      <span class=\"op\">&lt;<\/span><span class=\"ex\">Directory<\/span> \/apache\/htdocs<span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb2-61\"><a href=\"#cb2-61\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-62\"><a href=\"#cb2-62\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Require<\/span> all granted<\/span>\n<span id=\"cb2-63\"><a href=\"#cb2-63\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-64\"><a href=\"#cb2-64\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Options<\/span> None<\/span>\n<span id=\"cb2-65\"><a href=\"#cb2-65\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-66\"><a href=\"#cb2-66\" aria-hidden=\"true\"><\/a>      <span class=\"op\">&lt;<\/span>\/<span class=\"ex\">Directory<\/span><span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb2-67\"><a href=\"#cb2-67\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-68\"><a href=\"#cb2-68\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span>\/<span class=\"ex\">VirtualHost<\/span><span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb2-69\"><a href=\"#cb2-69\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-70\"><a href=\"#cb2-70\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span><span class=\"ex\">VirtualHost<\/span> 127.0.0.1:<span class=\"op\">443&gt;<\/span><\/span>\n<span id=\"cb2-71\"><a href=\"#cb2-71\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-72\"><a href=\"#cb2-72\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">SSLEngine<\/span> On<\/span>\n<span id=\"cb2-73\"><a href=\"#cb2-73\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-74\"><a href=\"#cb2-74\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Header<\/span> always set Strict-Transport-Security <span class=\"st\">&quot;max-age=31536000; includeSubDomains&quot;<\/span> env=HTTPS<\/span>\n<span id=\"cb2-75\"><a href=\"#cb2-75\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-76\"><a href=\"#cb2-76\" aria-hidden=\"true\"><\/a>        <span class=\"op\">&lt;<\/span><span class=\"ex\">Directory<\/span> \/apache\/htdocs<span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb2-77\"><a href=\"#cb2-77\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-78\"><a href=\"#cb2-78\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">Require<\/span> all granted<\/span>\n<span id=\"cb2-79\"><a href=\"#cb2-79\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-80\"><a href=\"#cb2-80\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">Options<\/span> None<\/span>\n<span id=\"cb2-81\"><a href=\"#cb2-81\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-82\"><a href=\"#cb2-82\" aria-hidden=\"true\"><\/a>        <span class=\"op\">&lt;<\/span>\/<span class=\"ex\">Directory<\/span><span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb2-83\"><a href=\"#cb2-83\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb2-84\"><a href=\"#cb2-84\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span>\/<span class=\"ex\">VirtualHost<\/span><span class=\"op\">&gt;<\/span><\/span><\/code><\/pre><\/div>\n<p>I won\u2019t be describing the entire configuration, only the directives that have been added since Tutorial 2. We are now listening on the port 80, but also on the <em>HTTPS-port<\/em> 443. As we have to be accessible from the internet in the subsequent steps, we are no longer limiting the server to listen only on the <em>localhost<\/em> address, but on all the configured IP addresses instead. This setup is also used with the <em>VirtualHosts<\/em>.<\/p>\n<p>As expected, the <em>SSL<\/em> module is the new one to be loaded; and additionally the Headers-module, which we\u2019ll use below. Then we configure the key and the certificate by using the <em>SSLCertificateKeyFile<\/em> and <em>SSLCertificateFile<\/em> directives. On the protocol line (<em>SSLProtocol<\/em>) it is very important for us to disable the older and insecure <em>SSLv2<\/em>, <em>SSLv3<\/em>, <em>TLSv1<\/em> and <em>TLSv1.1<\/em> protocols. This will result in only allowing the fairly modern <em>TLSv1.2<\/em> and then the new <em>TLSv1.3<\/em> protocol if it is available for your installation. <em>TLSv1.2<\/em> is likely to be the dominant protocol for the time being. The handshake and encryption is done using a set of several algorithms. We use these cryptograph algorithms to define the <em>cipher suite<\/em>. It\u2019s important to use a clean <em>cipher suite<\/em>, because this is where snooping attacks typically take place: They exploit the vulnerabilities and the insufficient key length of older algorithms. However, a very limited suite may prevent older browsers from accessing our server. The proposed <em>cipher suite<\/em> has a high level of security and also takes into account some older browsers starting with Windows Vista. We are thus excluding Windows XP and very old versions of Android from communication.<\/p>\n<p>The <em>HIGH<\/em> group of algorithms is the core of the <em>cipher suite<\/em>. This is the group of high encryption ciphers which <em>OpenSSL<\/em> provides to us via the <em>SSL module<\/em>. The algorithms listed in front of this keyword, which are also a part of the <em>HIGH<\/em> group, are given higher priority by being listed first. Afterwards we add the <em>SHA<\/em> hashing algorithm and exclude a number of algorithms that for one reason or another are not wanted in our <em>cipher suite<\/em>.<\/p>\n<p>When I talked about this definition of a <em>cipher suite<\/em> with Ivan Risti\u0107, he made it clear he prefers to define the list by naming all the desired ciphers explicitly and in right order. So he will not use the keyword <code>HIGH<\/code> at all. My approach is different as it is based on the <code>HIGH<\/code> keyword with some manual tweaks on the cipher order by hand. The point with my approach is, that new ciphers appearing within the group <code>HIGH<\/code> will be added to the <em>cipher list<\/em> automatically. But this might not always be desired and also the order of the ciphers could be rearranged within the <code>HIGH<\/code> group. We depend on <em>OpenSSL<\/em> and on the operating system\u2019s compiled <em>OpenSSL<\/em> in this regard. Ivan\u2019s approach keeps total control, but you might miss out new strong ciphers when they become available unless you reconfigure the <em>cipher list<\/em>. So there is a tradeoff between convenience for the maintainer and control over the <em>cipher suite<\/em>.<\/p>\n<p>After the <em>cipher suite<\/em> we follow with the <em>SSLHonorCipherOrder<\/em> directive. It is of immense importance. We often hear about <em>downgrade attacks<\/em> in SSL. This is when the attacker, a man-in-the-middle, attempts to inject himself into traffic and influence the parameters during the handshake in such a way that a less secure protocol is used. Specifically, the prioritization defined in the <em>cipher suite<\/em> is defeated. The <em>SSLHonorCipherOrder<\/em> directive prevents this type of attack by insisting on our server\u2019s algorithm preference.<\/p>\n<p>Encryption works with random numbers. The random number generator should be properly started and used, which is the purpose of the <em>SSLRandomSeed<\/em> directive. This is another place where performance and security have to be considered. When starting the server we access the operating system\u2019s random numbers in <em>\/dev\/urandom<\/em>. While operating the server, we use Apache\u2019s own source for random numbers (builtin), seeded from the server\u2019s traffic for the <em>SSL handshake<\/em>. The <em>\/dev\/urandom<\/em> source is the best source for random numbers in almost all situations: it is a quick source and also one that guarantees a certain amount of entropy. The qualitatively even better source, <em>\/dev\/random<\/em>, could in adverse circumstances block our server when starting, because not enough entropy data is present. This is why <em>\/dev\/urandom<\/em> is generally preferred outside of very rare and special situations.<\/p>\n<p>We have also introduced a second <em>virtual host<\/em>. It is very similar to the <em>virtual host<\/em> for port 80. But the port number is <em>443<\/em> and we are enabling the <em>SSL engine<\/em>, which encrypts traffic for us and first enables the configuration defined above. Additionally, we use the Header-Module loaded above in order to set the <em>Strict-Transport-Security<\/em>-header (short <em>STS<\/em>-Header). This HTTP header is part of the response and tells the client to use encryption for a duration of one year (this equals 31536000 seconds) when connected to our server. This happens regardless of the presence of the <code>https<\/code> string in links. So any attempt to lure the browser to talk to our server in cleartext will be rewritten to <code>https<\/code>. The flag <em>includeSubDomains<\/em> means, that all subdomains below our hostname are included in this instruction. Be careful here: Working with the domain <code>christian-folini.ch<\/code>, we will be calling the server with this naked hostname without the leading <code>www<\/code>. Setting the flag <em>includeSubDomains<\/em> on such a request effectively means, that every hostname within the <code>christian-folini.ch<\/code> domain will only be addressed via <code>https<\/code> in the future. If you continue to run other services on port 80 only, this is dangerous. The flag <em>includeSubDomains<\/em> should only be used if you are really sure all subdomains of your domain run on <code>https<\/code> and this policy is here to stay. Now there is also a condition at the end, that limits the header to encrypted connections. In fact it is possible to talk in cleartext to the encrypted port here. The server will respond with an error message and the condition will make sure this reponse does not contain said header.<\/p>\n<p>The <em>STS<\/em>-header is the most prominent from a group of newer security related headers. Various browsers implement different headers, so it is not very easy to maintain an overview, but the <em>STS<\/em>-header should never be omitted. If we look at the <em>Header<\/em> directive in more detail, we see the additional flag <em>always<\/em>. There are cases where the module is not springing into action (for example when we return an error as a response) without this flag. With <em>always<\/em>, we make sure the header is always sent.<\/p>\n<p>That\u2019s all the changes to our configuration. Time to start the server!<\/p>\n<h3 id=\"step-2-trying-it-out\">Step 2: Trying it out<\/h3>\n<div class=\"sourceCode\" id=\"cb3\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb3-1\"><a href=\"#cb3-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"ex\">curl<\/span> -v https:\/\/127.0.0.1\/index.html<\/span>\n<span id=\"cb3-2\"><a href=\"#cb3-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> Rebuilt URL to: https:\/\/127.0.0.1:443\/<\/span>\n<span id=\"cb3-3\"><a href=\"#cb3-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>   Trying 127.0.0.1...<\/span>\n<span id=\"cb3-4\"><a href=\"#cb3-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> Connected to 127.0.0.1 (127.0.0.1) <span class=\"ex\">port<\/span> 443 (#0)<\/span>\n<span id=\"cb3-5\"><a href=\"#cb3-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> found 173 certificates in \/etc\/ssl\/certs\/ca-certificates.crt<\/span>\n<span id=\"cb3-6\"><a href=\"#cb3-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> found 697 certificates in \/etc\/ssl\/certs<\/span>\n<span id=\"cb3-7\"><a href=\"#cb3-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> ALPN, offering http\/1.1<\/span>\n<span id=\"cb3-8\"><a href=\"#cb3-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> SSL connection using TLS1.2 \/ ECDHE_RSA_AES_256_GCM_SHA384<\/span>\n<span id=\"cb3-9\"><a href=\"#cb3-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        server certificate verification OK<\/span>\n<span id=\"cb3-10\"><a href=\"#cb3-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        server certificate status verification SKIPPED<\/span>\n<span id=\"cb3-11\"><a href=\"#cb3-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> SSL: certificate subject name (ubuntu) <span class=\"ex\">does<\/span> not match target host name <span class=\"st\">&#39;127.0.0.1&#39;<\/span><\/span>\n<span id=\"cb3-12\"><a href=\"#cb3-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> Closing connection 0<\/span>\n<span id=\"cb3-13\"><a href=\"#cb3-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">curl<\/span>: (51) <span class=\"ex\">SSL<\/span>: certificate subject name (ubuntu) <span class=\"ex\">does<\/span> not match target host name <span class=\"st\">&#39;127.0.0.1&#39;<\/span><\/span><\/code><\/pre><\/div>\n<p>Unfortunately, we were not successful. It\u2019s no wonder, because we were talking to a server at IP address <em>127.0.0.1<\/em> and it replied to us with a certificate for <em>myhost.home<\/em>. This is a typical case of a handshake error.<\/p>\n<p>We can instruct <em>curl<\/em> to ignore the error and open the connection nonetheless. This is done using the <em>\u2013insecure<\/em>, or <em>-k<\/em> flag:<\/p>\n<div class=\"sourceCode\" id=\"cb4\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb4-1\"><a href=\"#cb4-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"ex\">curl<\/span> -v -k https:\/\/127.0.0.1\/index.html<\/span>\n<span id=\"cb4-2\"><a href=\"#cb4-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> Rebuilt URL to: https:\/\/127.0.0.1:443\/<\/span>\n<span id=\"cb4-3\"><a href=\"#cb4-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>   Trying 127.0.0.1...<\/span>\n<span id=\"cb4-4\"><a href=\"#cb4-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> Connected to 127.0.0.1 (127.0.0.1) <span class=\"ex\">port<\/span> 443 (#0)<\/span>\n<span id=\"cb4-5\"><a href=\"#cb4-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> found 173 certificates in \/etc\/ssl\/certs\/ca-certificates.crt<\/span>\n<span id=\"cb4-6\"><a href=\"#cb4-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> found 697 certificates in \/etc\/ssl\/certs<\/span>\n<span id=\"cb4-7\"><a href=\"#cb4-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> ALPN, offering http\/1.1<\/span>\n<span id=\"cb4-8\"><a href=\"#cb4-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> SSL connection using TLS1.2 \/ ECDHE_RSA_AES_256_GCM_SHA384<\/span>\n<span id=\"cb4-9\"><a href=\"#cb4-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        server certificate verification SKIPPED<\/span>\n<span id=\"cb4-10\"><a href=\"#cb4-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        server certificate status verification SKIPPED<\/span>\n<span id=\"cb4-11\"><a href=\"#cb4-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        common name: ubuntu (does not match <span class=\"st\">&#39;127.0.0.1&#39;<\/span>)<\/span>\n<span id=\"cb4-12\"><a href=\"#cb4-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        server certificate expiration date OK<\/span>\n<span id=\"cb4-13\"><a href=\"#cb4-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        server certificate activation date OK<\/span>\n<span id=\"cb4-14\"><a href=\"#cb4-14\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        certificate public key: RSA<\/span>\n<span id=\"cb4-15\"><a href=\"#cb4-15\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        certificate version: #3<\/span>\n<span id=\"cb4-16\"><a href=\"#cb4-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        subject: CN=ubuntu<\/span>\n<span id=\"cb4-17\"><a href=\"#cb4-17\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        start date: Mon, 27 Feb 2017 20:46:21 GMT<\/span>\n<span id=\"cb4-18\"><a href=\"#cb4-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        expire date: Thu, 25 Feb 2027 20:46:21 GMT<\/span>\n<span id=\"cb4-19\"><a href=\"#cb4-19\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        issuer: CN=ubuntu<\/span>\n<span id=\"cb4-20\"><a href=\"#cb4-20\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span>        compression: NULL<\/span>\n<span id=\"cb4-21\"><a href=\"#cb4-21\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> ALPN, server accepted to use http\/1.1<\/span>\n<span id=\"cb4-22\"><a href=\"#cb4-22\" aria-hidden=\"true\"><\/a><span class=\"op\">&gt;<\/span> <span class=\"ex\">GET<\/span> \/index.html HTTP\/1.1<\/span>\n<span id=\"cb4-23\"><a href=\"#cb4-23\" aria-hidden=\"true\"><\/a><span class=\"op\">&gt;<\/span> <span class=\"ex\">User-Agent<\/span>: curl\/7.35.0<\/span>\n<span id=\"cb4-24\"><a href=\"#cb4-24\" aria-hidden=\"true\"><\/a><span class=\"op\">&gt;<\/span> <span class=\"ex\">Host<\/span>: 127.0.0.1<\/span>\n<span id=\"cb4-25\"><a href=\"#cb4-25\" aria-hidden=\"true\"><\/a><span class=\"op\">&gt;<\/span> <span class=\"ex\">Accept<\/span>: *\/*<\/span>\n<span id=\"cb4-26\"><a href=\"#cb4-26\" aria-hidden=\"true\"><\/a><span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb4-27\"><a href=\"#cb4-27\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span> <span class=\"ex\">HTTP\/1.1<\/span> 200 OK<\/span>\n<span id=\"cb4-28\"><a href=\"#cb4-28\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span> <span class=\"ex\">Date<\/span>: Thu, 01 Oct 2015 07:48:13 GMT<\/span>\n<span id=\"cb4-29\"><a href=\"#cb4-29\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> Server Apache is not blacklisted<\/span>\n<span id=\"cb4-30\"><a href=\"#cb4-30\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span> <span class=\"ex\">Server<\/span>: Apache<\/span>\n<span id=\"cb4-31\"><a href=\"#cb4-31\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span> <span class=\"ex\">Strict-Transport-Security<\/span>: max-age=31536000<span class=\"kw\">;<\/span> <span class=\"ex\">includeSubDomains<\/span><\/span>\n<span id=\"cb4-32\"><a href=\"#cb4-32\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span> <span class=\"ex\">Last-Modified<\/span>: Thu, 24 Sep 2015 11:54:56 GMT<\/span>\n<span id=\"cb4-33\"><a href=\"#cb4-33\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span> <span class=\"ex\">ETag<\/span>: <span class=\"st\">&quot;2d-5207ce664322e&quot;<\/span><\/span>\n<span id=\"cb4-34\"><a href=\"#cb4-34\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span> <span class=\"ex\">Accept-Ranges<\/span>: bytes<\/span>\n<span id=\"cb4-35\"><a href=\"#cb4-35\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span> <span class=\"ex\">Content-Length<\/span>: 45<\/span>\n<span id=\"cb4-36\"><a href=\"#cb4-36\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span><\/span>\n<span id=\"cb4-37\"><a href=\"#cb4-37\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span><span class=\"ex\">html<\/span><span class=\"op\">&gt;&lt;<\/span>body<span class=\"op\">&gt;&lt;<\/span>h1<span class=\"op\">&gt;<\/span>It works!<span class=\"op\">&lt;<\/span>\/h1<span class=\"op\">&gt;&lt;<\/span>\/body<span class=\"op\">&gt;&lt;<\/span>\/html<span class=\"op\">&gt;<\/span><\/span>\n<span id=\"cb4-38\"><a href=\"#cb4-38\" aria-hidden=\"true\"><\/a><span class=\"ex\">*<\/span> Connection #0 to host 127.0.0.1 left intact<\/span><\/code><\/pre><\/div>\n<p>It works now and our SSL server is running. Admittedly with a lazy certificate and we are still far from being able to use it in production.<\/p>\n<p>Below we will be discussing how to obtain an official certificate, how to install it correctly and how to tweak our configuration a bit.<\/p>\n<h3 id=\"step-3-preparing-to-get-an-ssl-key-and-certificate\">Step 3: Preparing to get an SSL key and certificate<\/h3>\n<p>HTTPS adds an SSL layer to the familiar HTTP protocol. Technically, SSL (<em>Secure Socket Layer<\/em>) has been replaced by TLS (<em>Transport Security Layer<\/em>), but people still refer to it as SSL. The protocol guarantees encryption and thus data traffic is secured from eavesdropping. Traffic is encrypted symmetrically, guaranteeing greater performance, but in the case of HTTPS requires a public\/private key setup for the exchange of symmetric keys by previously unknown communication partners. This public\/private key handshake is done by using a server certificate which must be signed by an official authority. The handshake is thus meant to extend browser\u2019s trust in the signing authority to the webserver being contacted. This is being done with the help of a chain of trust over multiple certificates.<\/p>\n<p>Server certificates exist in a variety of forms, validations and scopes of application. Not every feature is really of a technical nature and marketing also plays a role. The price differences are very large, which is why a comparison is worthwhile. For our test setup we\u2019ll be using a free certificate that we will nonetheless have officially certified. This is being done with the help of <em>Let\u2019s Encrypt<\/em>. This new certificate authority was born in 2015. It hands out official certificates for free and it has simplified the signing process in a very elegant way if you compare it to the traditional commercial certificate authorities.<\/p>\n<p>Before <em>Let\u2019s Encrypt<\/em> will give us a validated certificate for our server, the certificate authority has to be sure, we are really the owners of the domain for which we\u2019ve requested a certificate. This is done as follows: We prove our control over the said domain by placing a security nonce, provided by <em>Let\u2019s Encrypt<\/em>, on the webserver at a predefined location. We then tell <em>Let\u2019s Encrypt<\/em> to come and check the nonce. It will thus make a request to our server and compare the contents of the test file with the nonce it gave us. If the two values are identical, then we have proven that we do in fact control the domain in question and <em>Let\u2019s Encrypt<\/em> will accept us as the owner of said domain. This will be followed by signing a certificate for the domain in question on our behalf. We will then take this certificate and install it on the server.<\/p>\n<p>There are multiple clients to work with <em>Let\u2019s Encrypt<\/em>. My colleague Luca K\u00e4ser has mentioned <code>getssl<\/code> which features simple command line use and maximum of control. It is also fit for production use, as it has the option to deploy the token file not only on the local host, but also on a remote server via <code>ssh<\/code>. This is an advantage if you have blocked the server from sending requests to the internet and the server is thus not allowed to call <em>Let\u2019s Encrypt<\/em> itself.<\/p>\n<p>But this is an advanced scenario. For a first try, we call <em>Let\u2019s Encrypt<\/em> directly from the server. As a precondition, we need to get <code>getssl<\/code> ourselves. The tool is so new that it is not yet part of the official Linux distributions. We will download the script. In my case, I will put it in the private <code>bin<\/code>-folder. Depending on your setup, you may want to use an alternate location. It\u2019s important that <code>getssl<\/code> can be found via the standard shell path from now on. We fetch the script from <em>GitHub<\/em>. There is the option to clone the whole project directory. But we will simplify things by downloading the raw script and making it executable.<\/p>\n<div class=\"sourceCode\" id=\"cb5\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb5-1\"><a href=\"#cb5-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">wget<\/span> https:\/\/raw.githubusercontent.com\/srvrco\/getssl\/master\/getssl -O <span class=\"va\">$HOME<\/span>\/bin\/getssl <\/span>\n<span id=\"cb5-2\"><a href=\"#cb5-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span>\n<span id=\"cb5-3\"><a href=\"#cb5-3\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">chmod<\/span> +x <span class=\"va\">$HOME<\/span>\/bin\/getssl<\/span>\n<span id=\"cb5-4\"><a href=\"#cb5-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span><\/code><\/pre><\/div>\n<p>I will use <code>christian-folini.ch<\/code> as my example domain. This will show in the shell commands. Of course, all these commands need to be adapted to your own domain, if they are meant to work.<\/p>\n<p>We will now create the base configuration for our domain.<\/p>\n<div class=\"sourceCode\" id=\"cb6\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb6-1\"><a href=\"#cb6-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"ex\">getssl<\/span> --create christian-folini.ch<\/span>\n<span id=\"cb6-2\"><a href=\"#cb6-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span><\/code><\/pre><\/div>\n<p>This tells the script to create a file tree. These are the folders and files being created:<\/p>\n<div class=\"sourceCode\" id=\"cb7\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb7-1\"><a href=\"#cb7-1\" aria-hidden=\"true\"><\/a><span class=\"ex\">.getssl<\/span><\/span>\n<span id=\"cb7-2\"><a href=\"#cb7-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">.getssl\/getssl.cfg<\/span><\/span>\n<span id=\"cb7-3\"><a href=\"#cb7-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">.getssl\/christian-folini.ch<\/span><\/span>\n<span id=\"cb7-4\"><a href=\"#cb7-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">.getssl\/christian-folini.ch\/christian-folini.ch.crt<\/span><\/span>\n<span id=\"cb7-5\"><a href=\"#cb7-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">.getssl\/christian-folini.ch\/getssl.cfg<\/span><\/span><\/code><\/pre><\/div>\n<p>Before we can call for the creation of a certificate, it is important to edit the two <code>getssl.cfg<\/code> files a bit. First the base configuration in the file <code>.getssl\/getssl.cfg<\/code>. In this file, you need to know that <em>Let\u2019s Encrypt<\/em> runs a test certificate authority at the URL <code>https:\/\/acme-staging.api.letsencrypt.org<\/code> where you can check your setup &#8211; and then the real certificate authority which creates the official certificates. It is useful to create your setup with the test CA first and then, when the paths are correct and the validation has worked, enable the official CA at <code>https:\/\/acme-v01.api.letsencrypt.org<\/code>. In <code>.getssl\/getssl.cfg<\/code>, the test CA is active by default. At the beginning, there is not really much to do; entering a correct address for <code>ACCOUNT_EMAIL<\/code> sounds good, though.<\/p>\n<p>Let\u2019s move on to the configuration file for the domain <code>.getssl\/christian-folini.ch\/getssl.cfg<\/code>. Here, we check the value for <code>SANS<\/code>. I suspect this means <code>Subject Alternative NameS<\/code> and defines additional host names &#8211; or in the CA language <code>Subject-Names<\/code>, which will be added to the certificate. In the case of the domain <code>christian-folini.ch<\/code> we expect <code>SANS=www.christian-folini.ch<\/code>, which really is a different hostname which needs to be declared separately. Most of the other values are commented out, which means that the values, defined in the main configuration file, will be inherited and we do not have to set them. An important value has to be set though: <code>acl<\/code>. For our tutorial, I am setting it as follows:<\/p>\n<div class=\"sourceCode\" id=\"cb8\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb8-1\"><a href=\"#cb8-1\" aria-hidden=\"true\"><\/a><span class=\"va\">acl=<\/span><span class=\"st\">&#39;\/apache\/htdocs\/.well-known\/acme-challenge&#39;<\/span><\/span><\/code><\/pre><\/div>\n<p>This defines the path of the token, that <code>getssl<\/code> will place in the file system in order to have it checked by <em>Let\u2019s Encrypt<\/em>. In other words, the script will place the token in this location and tell the certificate authority to fetch the token via the webserver. If that works and the token is correct, we are confirmed as owners of the domain and we will get the valid certificate. The part of the <code>acl<\/code> path from <code>.well-known<\/code> on to the end corresponds with the <em>Let\u2019s Encrypt<\/em> standard. Any other value is possible, though.<\/p>\n<p>Outside of our domain name, we have entered an alternate name in the variable <code>SANS<\/code>. <em>Let\u2019s Encrypt<\/em> will check both names and it will place an individual token for both names. We can handle this by entering the same path twice under <code>acl<\/code>, or we can enable the variable <code>USE_SINGLE_ACL<\/code>, which is much more elegant.<\/p>\n<h3 id=\"step-4-getting-the-ssl-key-and-certificate\">Step 4: Getting the SSL key and certificate<\/h3>\n<p>Let\u2019s start our call to <em>Let\u2019s Encrypt<\/em>:<\/p>\n<div class=\"sourceCode\" id=\"cb9\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb9-1\"><a href=\"#cb9-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"ex\">getssl<\/span> christian-folini.ch<\/span>\n<span id=\"cb9-2\"><a href=\"#cb9-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">archiving<\/span> old certificate file to \/home\/dune73\/.getssl\/christian-folini.ch\/christian-folini.ch. \u2026<\/span>\n<span id=\"cb9-3\"><a href=\"#cb9-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">creating<\/span> account key \/home\/folini\/.getssl\/account.key<\/span>\n<span id=\"cb9-4\"><a href=\"#cb9-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">Generating<\/span> RSA private key, 4096 bit long modulus<\/span>\n<span id=\"cb9-5\"><a href=\"#cb9-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">..................................................++<\/span><\/span>\n<span id=\"cb9-6\"><a href=\"#cb9-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">............................................................++<\/span><\/span>\n<span id=\"cb9-7\"><a href=\"#cb9-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">e<\/span> is 65537 (0x10001)<\/span>\n<span id=\"cb9-8\"><a href=\"#cb9-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">creating<\/span> domain key - \/home\/folini\/.getssl\/christian-folini.ch\/christian-folini.ch.key<\/span>\n<span id=\"cb9-9\"><a href=\"#cb9-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">Generating<\/span> RSA private key, 4096 bit long modulus<\/span>\n<span id=\"cb9-10\"><a href=\"#cb9-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">..............++<\/span><\/span>\n<span id=\"cb9-11\"><a href=\"#cb9-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">...................................++<\/span><\/span>\n<span id=\"cb9-12\"><a href=\"#cb9-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">e<\/span> is 65537 (0x10001)<\/span>\n<span id=\"cb9-13\"><a href=\"#cb9-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">creating<\/span> domain csr - \/home\/folini\/.getssl\/christian-folini.ch\/christian-folini.ch.csr<\/span>\n<span id=\"cb9-14\"><a href=\"#cb9-14\" aria-hidden=\"true\"><\/a><span class=\"ex\">Registering<\/span> account<\/span>\n<span id=\"cb9-15\"><a href=\"#cb9-15\" aria-hidden=\"true\"><\/a><span class=\"ex\">Registered<\/span><\/span>\n<span id=\"cb9-16\"><a href=\"#cb9-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">Verify<\/span> each domain<\/span>\n<span id=\"cb9-17\"><a href=\"#cb9-17\" aria-hidden=\"true\"><\/a><span class=\"ex\">Verifing<\/span> christian-folini.ch<\/span>\n<span id=\"cb9-18\"><a href=\"#cb9-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">copying<\/span> challenge token to \/apache\/htdocs\/.well-known\/acme-challenge\/xiM4FlHAqxo9fuAG-Ag-\u2026<\/span>\n<span id=\"cb9-19\"><a href=\"#cb9-19\" aria-hidden=\"true\"><\/a><span class=\"ex\">Pending<\/span><\/span>\n<span id=\"cb9-20\"><a href=\"#cb9-20\" aria-hidden=\"true\"><\/a><span class=\"ex\">Verified<\/span> christian-folini.ch<\/span>\n<span id=\"cb9-21\"><a href=\"#cb9-21\" aria-hidden=\"true\"><\/a><span class=\"ex\">Verifing<\/span> www.christian-folini.ch<\/span>\n<span id=\"cb9-22\"><a href=\"#cb9-22\" aria-hidden=\"true\"><\/a><span class=\"ex\">copying<\/span> challenge token to \/apache\/htdocs\/.well-known\/acme-challenge\/QK4x1EyQ1Su7qZ-XTJL7\u2026 <\/span>\n<span id=\"cb9-23\"><a href=\"#cb9-23\" aria-hidden=\"true\"><\/a><span class=\"ex\">Verified<\/span> www.christian-folini.ch<\/span>\n<span id=\"cb9-24\"><a href=\"#cb9-24\" aria-hidden=\"true\"><\/a><span class=\"ex\">Verification<\/span> completed, obtaining certificate.<\/span>\n<span id=\"cb9-25\"><a href=\"#cb9-25\" aria-hidden=\"true\"><\/a><span class=\"ex\">Certificate<\/span> saved in \/home\/folini\/.getssl\/christian-folini.ch\/christian-folini.ch.crt<\/span>\n<span id=\"cb9-26\"><a href=\"#cb9-26\" aria-hidden=\"true\"><\/a><span class=\"ex\">The<\/span> intermediate CA cert is in \/home\/folini\/.getssl\/christian-folini.ch\/chain.crt<\/span>\n<span id=\"cb9-27\"><a href=\"#cb9-27\" aria-hidden=\"true\"><\/a><span class=\"ex\">getssl<\/span>: christian-folini.ch - certificate obtained but certificate on server is different \u2026<\/span>\n<span id=\"cb9-28\"><a href=\"#cb9-28\" aria-hidden=\"true\"><\/a><span class=\"ex\">from<\/span> the new certificate<\/span><\/code><\/pre><\/div>\n<p>You can see how a new key was first created. Then the script created a <code>Certificate Signing Request<\/code> with the file ending <code>csr<\/code> and the test file <code>\/apache\/htdocs\/.well-known\/acme-challenge\/xiM4FlHAqxo9fuAG-Ag-BTV_DsUJAbegPoZ6-l_luSA<\/code>. This was followed by the request to check the domain and sign the certificate. In the server\u2019s access log, we will then see the following entry (the IP addresses of the validation server and the exact filename can vary):<\/p>\n<div class=\"sourceCode\" id=\"cb10\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb10-1\"><a href=\"#cb10-1\" aria-hidden=\"true\"><\/a><span class=\"ex\">66.133.109.36<\/span> US - [2016-10-02 06:26:40.635068] \u2026<\/span>\n<span id=\"cb10-2\"><a href=\"#cb10-2\" aria-hidden=\"true\"><\/a><span class=\"st\">&quot;GET \/.well-known\/acme-challenge\/zg0bwpHNmRmFdXS4YeTgjBKiy84JoYDpu-cHON2mC9k HTTP\/1.1&quot;<\/span> \u2026<\/span>\n<span id=\"cb10-3\"><a href=\"#cb10-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">200<\/span> 87 <span class=\"st\">&quot;-&quot;<\/span> <span class=\"st\">&quot;Mozilla\/5.0 (compatible; Let&#39;s Encrypt validation server; +https:\/\/www.letsencrypt.org)&quot;<\/span><\/span><\/code><\/pre><\/div>\n<p>If we check the output of the <code>getssl<\/code> command again, we see that the verification was performed twice. Also a certificate has been signed and was delivered. But still, there was something wrong, as on the last line, the script reports that the certificate on the server does not correspond to the one we have been given. That really is the case, because we do not yet have the new certificate installed on the server. In fact, the script is able to perform this in a single run (the special variables used for this feature will be explained further down below).<\/p>\n<p>I have proposed to do a first test run with the test certificate authority of <em>Let\u2019s Encrypt<\/em>. If the script runs smoothly, then you can enter the production certificate authority. The call remains the same and we will get an official certificate signed for public use, ready to be deployed on the server.<\/p>\n<p>But let\u2019s have a closer look at the certificate first. We will use the command line version of <em>OpenSSL<\/em>. We will watch out for he fields <code>Validity<\/code> with the period of application of the certificate (three months), the <code>Signature Algorithm<\/code>, the <code>Public Key Algorithm<\/code> and of course <code>Subject<\/code> together with <code>Subject Alternative Name<\/code>:<\/p>\n<div class=\"sourceCode\" id=\"cb11\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb11-1\"><a href=\"#cb11-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"ex\">openssl<\/span> x509 -text -in <span class=\"va\">$HOME<\/span>\/.getssl\/christian-folini.ch\/christian-folini.ch.crt<\/span>\n<span id=\"cb11-2\"><a href=\"#cb11-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">Certificate<\/span>:<\/span>\n<span id=\"cb11-3\"><a href=\"#cb11-3\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Data<\/span>:<\/span>\n<span id=\"cb11-4\"><a href=\"#cb11-4\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Version<\/span>: 3 (0x2)<\/span>\n<span id=\"cb11-5\"><a href=\"#cb11-5\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Serial<\/span> Number:<\/span>\n<span id=\"cb11-6\"><a href=\"#cb11-6\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">03<\/span>:42:97:46:58:7d:dd:38:6e:1d:b2:fa:76:1c:57:50:b5:22<\/span>\n<span id=\"cb11-7\"><a href=\"#cb11-7\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Signature<\/span> Algorithm: sha256WithRSAEncryption<\/span>\n<span id=\"cb11-8\"><a href=\"#cb11-8\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Issuer<\/span>: C=US, O=Let<span class=\"st\">&#39;s Encrypt, CN=Let&#39;<\/span>s Encrypt Authority X3<\/span>\n<span id=\"cb11-9\"><a href=\"#cb11-9\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Validity<\/span><\/span>\n<span id=\"cb11-10\"><a href=\"#cb11-10\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">Not<\/span> Before: Oct  2 06:24:00 2016 GMT<\/span>\n<span id=\"cb11-11\"><a href=\"#cb11-11\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">Not<\/span> After : Dec 31 06:24:00 2016 GMT<\/span>\n<span id=\"cb11-12\"><a href=\"#cb11-12\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Subject<\/span>: CN=christian-folini.ch<\/span>\n<span id=\"cb11-13\"><a href=\"#cb11-13\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Subject<\/span> Public Key Info:<\/span>\n<span id=\"cb11-14\"><a href=\"#cb11-14\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">Public<\/span> Key Algorithm: rsaEncryption<\/span>\n<span id=\"cb11-15\"><a href=\"#cb11-15\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">Public-Key<\/span>: (4096 bit)<\/span>\n<span id=\"cb11-16\"><a href=\"#cb11-16\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">Modulus<\/span>:<\/span>\n<span id=\"cb11-17\"><a href=\"#cb11-17\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">00<\/span>:ac:e6:34:3a:6d:83:37:31:6e:7a:c5:d1:50:99:<\/span>\n<span id=\"cb11-18\"><a href=\"#cb11-18\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">93<\/span>:59:b7:12:d6:28:be:fd:cf:3a:25:f0:d0:0f:9d:<\/span>\n<span id=\"cb11-19\"><a href=\"#cb11-19\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">c2<\/span>:d9:8f:77:7b:6c:c8:38:41:26:43:c0:ec:91:46:<\/span>\n<span id=\"cb11-20\"><a href=\"#cb11-20\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">c9<\/span>:d4:e7:02:40:e9:90:e0:1f:82:f1:00:53:92:1f:<\/span>\n<span id=\"cb11-21\"><a href=\"#cb11-21\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">bd<\/span>:af:47:15:f5:59:03:71:0e:e7:ac:cf:d5:89:f2:<\/span>\n<span id=\"cb11-22\"><a href=\"#cb11-22\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">fc<\/span>:b7:8a:84:26:37:f4:0d:16:5e:79:c8:8a:87:ec:<\/span>\n<span id=\"cb11-23\"><a href=\"#cb11-23\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">8c<\/span>:c0:de:cb:1e:23:36:68:6a:c0:9c:51:04:77:cc:<\/span>\n<span id=\"cb11-24\"><a href=\"#cb11-24\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">21<\/span>:01:47:02:3c:d4:6b:fe:c7:b4:d7:b0:05:04:ad:<\/span>\n<span id=\"cb11-25\"><a href=\"#cb11-25\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">42<\/span>:e8:fd:41:2d:28:69:85:ba:eb:f2:f9:73:a6:5b:<\/span>\n<span id=\"cb11-26\"><a href=\"#cb11-26\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">50<\/span>:1e:a7:df:ec:ae:ab:69:fd:99:f3:90:f0:2b:89:<\/span>\n<span id=\"cb11-27\"><a href=\"#cb11-27\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">1c<\/span>:0d:9b:08:5b:ab:5a:6d:70:aa:9e:9c:72:bd:32:<\/span>\n<span id=\"cb11-28\"><a href=\"#cb11-28\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">dc<\/span>:8a:91:b1:78:b8:c1:87:2a:7c:53:64:d7:69:00:<\/span>\n<span id=\"cb11-29\"><a href=\"#cb11-29\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">5b<\/span>:06:07:14:21:80:13:9e:f3:9c:fd:c9:41:93:60:<\/span>\n<span id=\"cb11-30\"><a href=\"#cb11-30\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">6f<\/span>:5a:55:4f:66:f5:50:e7:a9:dc:e2:51:5e:19:5a:<\/span>\n<span id=\"cb11-31\"><a href=\"#cb11-31\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">a3<\/span>:5d:a3:58:b1:cb:96:b8:62:80:f1:73:cd:32:9c:<\/span>\n<span id=\"cb11-32\"><a href=\"#cb11-32\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">fd<\/span>:b2:3c:44:05:a2:d1:0f:78:0b:2a:2e:43:15:21:<\/span>\n<span id=\"cb11-33\"><a href=\"#cb11-33\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">2f<\/span>:81:b0:30:73:8d:ba:fb:e5:ce:0e:49:f5:08:62:<\/span>\n<span id=\"cb11-34\"><a href=\"#cb11-34\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">dd<\/span>:af:bb:bb:6a:57:04:e6:43:53:b8:d0:ba:c5:bf:<\/span>\n<span id=\"cb11-35\"><a href=\"#cb11-35\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">6a<\/span>:0a:17:12:7e:23:a3:bf:c3:a3:ff:50:ad:fc:54:<\/span>\n<span id=\"cb11-36\"><a href=\"#cb11-36\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">75<\/span>:84:f6:e0:0c:5e:75:83:aa:cd:ba:ce:e2:43:cf:<\/span>\n<span id=\"cb11-37\"><a href=\"#cb11-37\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">e6<\/span>:65:92:55:b7:3e:02:72:6d:0b:5d:45:18:ae:09:<\/span>\n<span id=\"cb11-38\"><a href=\"#cb11-38\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">a1<\/span>:ab:b8:b8:24:d1:ae:74:43:dc:e5:4f:0a:37:b9:<\/span>\n<span id=\"cb11-39\"><a href=\"#cb11-39\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">05<\/span>:8e:37:b0:67:01:5e:50:b4:7c:89:52:90:d2:fa:<\/span>\n<span id=\"cb11-40\"><a href=\"#cb11-40\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">59<\/span>:c0:33:31:f3:f0:35:80:38:a1:1b:fb:7f:c9:d2:<\/span>\n<span id=\"cb11-41\"><a href=\"#cb11-41\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">5e<\/span>:40:75:0f:33:73:1e:eb:dc:e3:9a:d1:dc:d6:94:<\/span>\n<span id=\"cb11-42\"><a href=\"#cb11-42\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">a9<\/span>:55:2a:f0:71:20:5e:64:71:b0:cf:03:3e:45:76:<\/span>\n<span id=\"cb11-43\"><a href=\"#cb11-43\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">a6<\/span>:ff:f1:12:93:5d:0c:d1:2b:5f:fd:1d:6e:ef:71:<\/span>\n<span id=\"cb11-44\"><a href=\"#cb11-44\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">69<\/span>:74:f1:dc:a8:64:c0:6b:a8:14:fc:7b:77:4d:d2:<\/span>\n<span id=\"cb11-45\"><a href=\"#cb11-45\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">42<\/span>:41:15:fc:10:84:9f:9b:78:bb:64:b1:6c:22:e4:<\/span>\n<span id=\"cb11-46\"><a href=\"#cb11-46\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">c1<\/span>:7d:6b:25:95:2a:91:70:16:4a:87:82:38:cd:7f:<\/span>\n<span id=\"cb11-47\"><a href=\"#cb11-47\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">0a<\/span>:03:ce:f0:68:c7:29:e5:63:f0:8a:ea:37:2f:ad:<\/span>\n<span id=\"cb11-48\"><a href=\"#cb11-48\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">fd<\/span>:ee:89:89:47:12:59:e8:95:c1:48:49:95:96:39:<\/span>\n<span id=\"cb11-49\"><a href=\"#cb11-49\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">e8<\/span>:a0:c5:7e:6f:83:6b:bb:fd:8a:00:74:91:54:a4:<\/span>\n<span id=\"cb11-50\"><a href=\"#cb11-50\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">f9<\/span>:89:2c:b9:5b:80:d5:d3:52:5e:41:c4:aa:c5:a5:<\/span>\n<span id=\"cb11-51\"><a href=\"#cb11-51\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">f6<\/span>:bb:e5<\/span>\n<span id=\"cb11-52\"><a href=\"#cb11-52\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">Exponent<\/span>: 65537 (0x10001)<\/span>\n<span id=\"cb11-53\"><a href=\"#cb11-53\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">X509v3<\/span> extensions:<\/span>\n<span id=\"cb11-54\"><a href=\"#cb11-54\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">X509v3<\/span> Key Usage: critical<\/span>\n<span id=\"cb11-55\"><a href=\"#cb11-55\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">Digital<\/span> Signature, Key Encipherment<\/span>\n<span id=\"cb11-56\"><a href=\"#cb11-56\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">X509v3<\/span> Extended Key Usage: <\/span>\n<span id=\"cb11-57\"><a href=\"#cb11-57\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">TLS<\/span> Web Server Authentication, TLS Web Client Authentication<\/span>\n<span id=\"cb11-58\"><a href=\"#cb11-58\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">X509v3<\/span> Basic Constraints: critical<\/span>\n<span id=\"cb11-59\"><a href=\"#cb11-59\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">CA<\/span>:FALSE<\/span>\n<span id=\"cb11-60\"><a href=\"#cb11-60\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">X509v3<\/span> Subject Key Identifier: <\/span>\n<span id=\"cb11-61\"><a href=\"#cb11-61\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">18<\/span>:46:FD:E3:B3:4C:25:57:46:4A:38:DA:23:78:94:34:23:32:F3:39<\/span>\n<span id=\"cb11-62\"><a href=\"#cb11-62\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">X509v3<\/span> Authority Key Identifier: <\/span>\n<span id=\"cb11-63\"><a href=\"#cb11-63\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">keyid<\/span>:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1<\/span>\n<span id=\"cb11-64\"><a href=\"#cb11-64\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb11-65\"><a href=\"#cb11-65\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">Authority<\/span> Information Access: <\/span>\n<span id=\"cb11-66\"><a href=\"#cb11-66\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">OCSP<\/span> - URI:http:\/\/ocsp.int-x3.letsencrypt.org\/<\/span>\n<span id=\"cb11-67\"><a href=\"#cb11-67\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">CA<\/span> Issuers - URI:http:\/\/cert.int-x3.letsencrypt.org\/<\/span>\n<span id=\"cb11-68\"><a href=\"#cb11-68\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb11-69\"><a href=\"#cb11-69\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">X509v3<\/span> Subject Alternative Name: <\/span>\n<span id=\"cb11-70\"><a href=\"#cb11-70\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">DNS<\/span>:christian-folini.ch, DNS:www.christian-folini.ch<\/span>\n<span id=\"cb11-71\"><a href=\"#cb11-71\" aria-hidden=\"true\"><\/a>            <span class=\"ex\">X509v3<\/span> Certificate Policies: <\/span>\n<span id=\"cb11-72\"><a href=\"#cb11-72\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">Policy<\/span>: 2.23.140.1.2.1<\/span>\n<span id=\"cb11-73\"><a href=\"#cb11-73\" aria-hidden=\"true\"><\/a>                <span class=\"ex\">Policy<\/span>: 1.3.6.1.4.1.44947.1.1.1<\/span>\n<span id=\"cb11-74\"><a href=\"#cb11-74\" aria-hidden=\"true\"><\/a>                  <span class=\"ex\">CPS<\/span>: http:\/\/cps.letsencrypt.org<\/span>\n<span id=\"cb11-75\"><a href=\"#cb11-75\" aria-hidden=\"true\"><\/a>                  <span class=\"ex\">User<\/span> Notice:<\/span>\n<span id=\"cb11-76\"><a href=\"#cb11-76\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">Explicit<\/span> Text: This Certificate may only be relied upon by \u2026<\/span>\n<span id=\"cb11-77\"><a href=\"#cb11-77\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">Relying<\/span> Parties and only in accordance with the Certificate \u2026<\/span>\n<span id=\"cb11-78\"><a href=\"#cb11-78\" aria-hidden=\"true\"><\/a>                    <span class=\"ex\">Policy<\/span> found at https:\/\/letsencrypt.org\/repository\/<\/span>\n<span id=\"cb11-79\"><a href=\"#cb11-79\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb11-80\"><a href=\"#cb11-80\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Signature<\/span> Algorithm: sha256WithRSAEncryption<\/span>\n<span id=\"cb11-81\"><a href=\"#cb11-81\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">53<\/span>:12:78:10:52:13:29:ae:6c:a2:2d:94:1b:34:5a:07:25:0f:<\/span>\n<span id=\"cb11-82\"><a href=\"#cb11-82\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">e0<\/span>:0e:e7:cd:bb:b6:ea:14:ef:93:76:ad:19:92:aa:9f:9a:b0:<\/span>\n<span id=\"cb11-83\"><a href=\"#cb11-83\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">cf<\/span>:a1:b9:2f:96:80:af:1d:5f:df:2a:2b:52:fd:05:be:23:21:<\/span>\n<span id=\"cb11-84\"><a href=\"#cb11-84\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">ab<\/span>:0d:a0:15:c1:62:50:8d:fa:d8:56:f5:af:73:d6:90:72:6c:<\/span>\n<span id=\"cb11-85\"><a href=\"#cb11-85\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">7e<\/span>:05:1b:db:a6:6f:d6:b7:cb:f0:89:bd:03:73:b2:ce:a4:2a:<\/span>\n<span id=\"cb11-86\"><a href=\"#cb11-86\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">5b<\/span>:ab:27:6e:16:be:79:9f:b5:74:74:7e:75:d8:b5:e0:d0:0c:<\/span>\n<span id=\"cb11-87\"><a href=\"#cb11-87\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">69<\/span>:0a:f1:cf:09:b2:84:be:cd:72:1a:cb:45:97:25:e2:be:1d:<\/span>\n<span id=\"cb11-88\"><a href=\"#cb11-88\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">ff<\/span>:d2:40:8b:bf:d6:29:95:cf:a6:3d:b8:10:d1:eb:33:38:d4:<\/span>\n<span id=\"cb11-89\"><a href=\"#cb11-89\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">35<\/span>:39:28:27:a8:c1:f8:c2:1e:e5:52:c9:b2:c6:4a:a1:1d:98:<\/span>\n<span id=\"cb11-90\"><a href=\"#cb11-90\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">ea<\/span>:94:06:2f:af:5e:8e:0b:a3:05:3a:f2:e9:92:e8:63:9a:b8:<\/span>\n<span id=\"cb11-91\"><a href=\"#cb11-91\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">33<\/span>:3b:86:b9:60:52:a0:90:40:30:80:b8:fa:4a:15:22:cb:34:<\/span>\n<span id=\"cb11-92\"><a href=\"#cb11-92\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">bf<\/span>:91:5e:9b:51:7e:8b:a7:6d:4c:59:1e:2c:a4:70:d4:cd:9b:<\/span>\n<span id=\"cb11-93\"><a href=\"#cb11-93\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">ae<\/span>:6b:57:ce:9e:fb:43:8c:ef:c6:a7:f4:be:39:fd:34:61:4c:<\/span>\n<span id=\"cb11-94\"><a href=\"#cb11-94\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">84<\/span>:21:e0:fb:74:4d:31:bd:45:c3:1a:58:97:c7:bb:15:be:2a:<\/span>\n<span id=\"cb11-95\"><a href=\"#cb11-95\" aria-hidden=\"true\"><\/a>         <span class=\"ex\">74<\/span>:c0:7a:dd<\/span>\n<span id=\"cb11-96\"><a href=\"#cb11-96\" aria-hidden=\"true\"><\/a><span class=\"ex\">-----BEGIN<\/span> CERTIFICATE-----<\/span>\n<span id=\"cb11-97\"><a href=\"#cb11-97\" aria-hidden=\"true\"><\/a><span class=\"ex\">MIIGIzCCBQugAwIBAgISA0KXRlh93ThuHbL6dhxXULUiMA0GCSqGSIb3DQEBCwUA<\/span><\/span>\n<span id=\"cb11-98\"><a href=\"#cb11-98\" aria-hidden=\"true\"><\/a><span class=\"ex\">MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD<\/span><\/span>\n<span id=\"cb11-99\"><a href=\"#cb11-99\" aria-hidden=\"true\"><\/a><span class=\"ex\">ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMDIwNjI0MDBaFw0x<\/span><\/span>\n<span id=\"cb11-100\"><a href=\"#cb11-100\" aria-hidden=\"true\"><\/a><span class=\"ex\">NjEyMzEwNjI0MDBaMB4xHDAaBgNVBAMTE2NocmlzdGlhbi1mb2xpbmkuY2gwggIi<\/span><\/span>\n<span id=\"cb11-101\"><a href=\"#cb11-101\" aria-hidden=\"true\"><\/a><span class=\"ex\">MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCs5jQ6bYM3MW56xdFQmZNZtxLW<\/span><\/span>\n<span id=\"cb11-102\"><a href=\"#cb11-102\" aria-hidden=\"true\"><\/a><span class=\"ex\">KL79zzol8NAPncLZj3d7bMg4QSZDwOyRRsnU5wJA6ZDgH4LxAFOSH72vRxX1WQNx<\/span><\/span>\n<span id=\"cb11-103\"><a href=\"#cb11-103\" aria-hidden=\"true\"><\/a><span class=\"ex\">Duesz9WJ8vy3ioQmN\/QNFl55yIqH7IzA3sseIzZoasCcUQR3zCEBRwI81Gv+x7TX<\/span><\/span>\n<span id=\"cb11-104\"><a href=\"#cb11-104\" aria-hidden=\"true\"><\/a><span class=\"ex\">sAUErULo\/UEtKGmFuuvy+XOmW1Aep9\/srqtp\/ZnzkPAriRwNmwhbq1ptcKqenHK9<\/span><\/span>\n<span id=\"cb11-105\"><a href=\"#cb11-105\" aria-hidden=\"true\"><\/a><span class=\"ex\">MtyKkbF4uMGHKnxTZNdpAFsGBxQhgBOe85z9yUGTYG9aVU9m9VDnqdziUV4ZWqNd<\/span><\/span>\n<span id=\"cb11-106\"><a href=\"#cb11-106\" aria-hidden=\"true\"><\/a><span class=\"ex\">o1ixy5a4YoDxc80ynP2yPEQFotEPeAsqLkMVIS+BsDBzjbr75c4OSfUIYt2vu7tq<\/span><\/span>\n<span id=\"cb11-107\"><a href=\"#cb11-107\" aria-hidden=\"true\"><\/a><span class=\"ex\">VwTmQ1O40LrFv2oKFxJ+I6O\/w6P\/UK38VHWE9uAMXnWDqs26zuJDz+ZlklW3PgJy<\/span><\/span>\n<span id=\"cb11-108\"><a href=\"#cb11-108\" aria-hidden=\"true\"><\/a><span class=\"ex\">bQtdRRiuCaGruLgk0a50Q9zlTwo3uQWON7BnAV5QtHyJUpDS+lnAMzHz8DWAOKEb<\/span><\/span>\n<span id=\"cb11-109\"><a href=\"#cb11-109\" aria-hidden=\"true\"><\/a><span class=\"ex\">+3\/J0l5AdQ8zcx7r3OOa0dzWlKlVKvBxIF5kcbDPAz5Fdqb\/8RKTXQzRK1\/9HW7v<\/span><\/span>\n<span id=\"cb11-110\"><a href=\"#cb11-110\" aria-hidden=\"true\"><\/a><span class=\"ex\">cWl08dyoZMBrqBT8e3dN0kJBFfwQhJ+beLtksWwi5MF9ayWVKpFwFkqHgjjNfwoD<\/span><\/span>\n<span id=\"cb11-111\"><a href=\"#cb11-111\" aria-hidden=\"true\"><\/a><span class=\"ex\">zvBoxynlY\/CK6jcvrf3uiYlHElnolcFISZWWOeigxX5vg2u7\/YoAdJFUpPmJLLlb<\/span><\/span>\n<span id=\"cb11-112\"><a href=\"#cb11-112\" aria-hidden=\"true\"><\/a><span class=\"ex\">gNXTUl5BxKrFpfa75QIDAQABo4ICLTCCAikwDgYDVR0PAQH\/BAQDAgWgMB0GA1Ud<\/span><\/span>\n<span id=\"cb11-113\"><a href=\"#cb11-113\" aria-hidden=\"true\"><\/a><span class=\"ex\">JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW<\/span><\/span>\n<span id=\"cb11-114\"><a href=\"#cb11-114\" aria-hidden=\"true\"><\/a><span class=\"ex\">BBQYRv3js0wlV0ZKONojeJQ0IzLzOTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObem<\/span><\/span>\n<span id=\"cb11-115\"><a href=\"#cb11-115\" aria-hidden=\"true\"><\/a><span class=\"ex\">RWXv86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3Nw<\/span><\/span>\n<span id=\"cb11-116\"><a href=\"#cb11-116\" aria-hidden=\"true\"><\/a><span class=\"ex\">LmludC14My5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2Vy<\/span><\/span>\n<span id=\"cb11-117\"><a href=\"#cb11-117\" aria-hidden=\"true\"><\/a><span class=\"ex\">dC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzA3BgNVHREEMDAughNjaHJpc3RpYW4t<\/span><\/span>\n<span id=\"cb11-118\"><a href=\"#cb11-118\" aria-hidden=\"true\"><\/a><span class=\"ex\">Zm9saW5pLmNoghd3d3cuY2hyaXN0aWFuLWZvbGluaS5jaDCB\/gYDVR0gBIH2MIHz<\/span><\/span>\n<span id=\"cb11-119\"><a href=\"#cb11-119\" aria-hidden=\"true\"><\/a><span class=\"ex\">MAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6<\/span><\/span>\n<span id=\"cb11-120\"><a href=\"#cb11-120\" aria-hidden=\"true\"><\/a><span class=\"ex\">Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2Vy<\/span><\/span>\n<span id=\"cb11-121\"><a href=\"#cb11-121\" aria-hidden=\"true\"><\/a><span class=\"ex\">dGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0<\/span><\/span>\n<span id=\"cb11-122\"><a href=\"#cb11-122\" aria-hidden=\"true\"><\/a><span class=\"ex\">aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUg<\/span><\/span>\n<span id=\"cb11-123\"><a href=\"#cb11-123\" aria-hidden=\"true\"><\/a><span class=\"ex\">UG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRv<\/span><\/span>\n<span id=\"cb11-124\"><a href=\"#cb11-124\" aria-hidden=\"true\"><\/a><span class=\"ex\">cnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBTEngQUhMprmyiLZQbNFoHJQ\/gDufNu7bq<\/span><\/span>\n<span id=\"cb11-125\"><a href=\"#cb11-125\" aria-hidden=\"true\"><\/a><span class=\"ex\">FO+Tdq0ZkqqfmrDPobkvloCvHV\/fKitS\/QW+IyGrDaAVwWJQjfrYVvWvc9aQcmx+<\/span><\/span>\n<span id=\"cb11-126\"><a href=\"#cb11-126\" aria-hidden=\"true\"><\/a><span class=\"ex\">BRvbpm\/Wt8vwib0Dc7LOpCpbqyduFr55n7V0dH512LXg0AxpCvHPCbKEvs1yGstF<\/span><\/span>\n<span id=\"cb11-127\"><a href=\"#cb11-127\" aria-hidden=\"true\"><\/a><span class=\"ex\">lyXivh3\/0kCLv9Yplc+mPbgQ0eszONQ1OSgnqMH4wh7lUsmyxkqhHZjqlAYvr16O<\/span><\/span>\n<span id=\"cb11-128\"><a href=\"#cb11-128\" aria-hidden=\"true\"><\/a><span class=\"ex\">C6MFOvLpkuhjmrgzO4a5YFKgkEAwgLj6ShUiyzS\/kV6bUX6Lp21MWR4spHDUzZuu<\/span><\/span>\n<span id=\"cb11-129\"><a href=\"#cb11-129\" aria-hidden=\"true\"><\/a><span class=\"ex\">a1fOnvtDjO\/Gp\/S+Of00YUyEIeD7dE0xvUXDGliXx7sVvip0wHrd<\/span><\/span>\n<span id=\"cb11-130\"><a href=\"#cb11-130\" aria-hidden=\"true\"><\/a><span class=\"ex\">-----END<\/span> CERTIFICATE-----<\/span><\/code><\/pre><\/div>\n<p>If the certificate meets our expectations, we will copy it together with the key to the right location on the server. We will do this by hand first. Outside of the certificate and the key we also have to transfer the chain file. What\u2019s that, you may wonder. As we have seen, the browser trusts a series of certificate authorities from the start. When performing an <em>SSL<\/em>-handshake, this trust is being extended to the webserver. To perform this, the browser will try and build a chain of trust to one of the certificate authorities known to it. After the server certificate, the chains runs via the intermediate certificates we deliver in the form of the chain file. This means, that the root certificate known to the browser has signed the first element of the chain file. This certificate has been used to sign the next certificate and so forth down to the server certificate, we recently obtained. If the signatures are all valid, then the chain is intact and the browser assumes, it is speaking to the correct server. This means the chain file has an important role as a link between the certificate authority and our server. That\u2019s why <code>getssl<\/code> has downloaded the file for us and stored it under <code>~\/.getssl\/christian-folini.ch\/chain.crt<\/code>, as reported to us above. So, let\u2019s take these three files and let\u2019s copy them onto the server. The exact position is not that important. That\u2019s why I decide to use a location with the already well protected keys and certificates of the system under <code>\/etc\/ssl<\/code>.<\/p>\n<div class=\"sourceCode\" id=\"cb12\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb12-1\"><a href=\"#cb12-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> cp ~\/.getssl\/christian-folini.ch\/christian-folini.ch.key \/etc\/ssl\/private\/<\/span>\n<span id=\"cb12-2\"><a href=\"#cb12-2\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> cp ~\/.getssl\/christian-folini.ch\/christian-folini.ch.crt \/etc\/ssl\/certs\/<\/span>\n<span id=\"cb12-3\"><a href=\"#cb12-3\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> cp ~\/.getssl\/christian-folini.ch\/chain.crt \/etc\/ssl\/certs\/lets-encrypt-chain.crt<\/span><\/code><\/pre><\/div>\n<p>It is important to get the permission right (and to make sure ~\/.getssl\/christian-folini.ch\/christian-folini.ch.key is not accessible either). Only the key has to remain really secret from everybody outside of root. It is only being used when starting the server. The certificate files are less delicate and in fact we will also hand them out to the clients when they perform their requests.<\/p>\n<div class=\"sourceCode\" id=\"cb13\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb13-1\"><a href=\"#cb13-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> chmod 400 \/etc\/ssl\/private\/christian-folini.key<\/span>\n<span id=\"cb13-2\"><a href=\"#cb13-2\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> chown root:root \/etc\/ssl\/private\/christian-folini.key<\/span>\n<span id=\"cb13-3\"><a href=\"#cb13-3\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> chmod 644 \/etc\/ssl\/certs\/christian-folini.crt<\/span>\n<span id=\"cb13-4\"><a href=\"#cb13-4\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> chown root:root \/etc\/ssl\/certs\/christian-folini.crt<\/span>\n<span id=\"cb13-5\"><a href=\"#cb13-5\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> chmod 644 \/etc\/ssl\/certs\/lets-encrypt-chain.crt<\/span>\n<span id=\"cb13-6\"><a href=\"#cb13-6\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">sudo<\/span> chown root:root \/etc\/ssl\/certs\/lets-encrypt-chain.crt<\/span><\/code><\/pre><\/div>\n<p>Then we enter the new paths into the configuration:<\/p>\n<div class=\"sourceCode\" id=\"cb14\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb14-1\"><a href=\"#cb14-1\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCertificateKeyFile<\/span>   \/etc\/ssl\/private\/christian-folini.ch.key<\/span>\n<span id=\"cb14-2\"><a href=\"#cb14-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCertificateFile<\/span>      \/etc\/ssl\/certs\/christian-folini.ch.crt<\/span>\n<span id=\"cb14-3\"><a href=\"#cb14-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCertificateChainFile<\/span> \/etc\/ssl\/certs\/lets-encrypt-chain.crt<\/span><\/code><\/pre><\/div>\n<h3 id=\"step-5-examining-the-chain-of-trust\">Step 5: Examining the chain of trust<\/h3>\n<p>Before we can start using the browser or curl to call our server, it is a good practice to check the chain of trust and to make sure the encryption is properly configured. Let\u2019s start the server and check it out. We will use the command line tool <code>openssl<\/code> again. It really shines with all the options it has. However, <em>OpenSSL<\/em> does not have a list of known and trusted certificate authorities. We have to tell the tool about the <em>Let\u2019s Encrypt<\/em> certificate authority and its root certificate respectively. We will fetch it from <em>Let\u2019s Encrypt<\/em> and we will then call <code>openssl<\/code> with the root CA as a parameter:<\/p>\n<div class=\"sourceCode\" id=\"cb15\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb15-1\"><a href=\"#cb15-1\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"fu\">wget<\/span> https:\/\/letsencrypt.org\/certs\/isrgrootx1.pem -O \/tmp\/ca-lets-encrypt.crt<\/span>\n<span id=\"cb15-2\"><a href=\"#cb15-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span>\n<span id=\"cb15-3\"><a href=\"#cb15-3\" aria-hidden=\"true\"><\/a>$<span class=\"op\">&gt;<\/span> <span class=\"ex\">openssl<\/span> s_client -showcerts -CAfile \/tmp\/ca-lets-encrypt.crt <span class=\"kw\">\\<\/span><\/span>\n<span id=\"cb15-4\"><a href=\"#cb15-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">-connect<\/span> 127.0.0.1:443 -servername www.christian-folini.ch<\/span><\/code><\/pre><\/div>\n<p>This instructs <code>openssl<\/code> to use it\u2019s internal HTTP client, to show us the full certificate information, to use the CA file we just downloaded, to connect to our localhost server and to use <code>www.christian-folini.ch<\/code> as the name for the server. If all went smoothly, we will see an output similar to the following:<\/p>\n<div class=\"sourceCode\" id=\"cb16\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb16-1\"><a href=\"#cb16-1\" aria-hidden=\"true\"><\/a><span class=\"va\">depth=<\/span>2 <span class=\"ex\">O<\/span> = Digital Signature Trust Co., CN = DST Root CA X3<\/span>\n<span id=\"cb16-2\"><a href=\"#cb16-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">verify<\/span> return:1<\/span>\n<span id=\"cb16-3\"><a href=\"#cb16-3\" aria-hidden=\"true\"><\/a><span class=\"va\">depth=<\/span>1 <span class=\"ex\">C<\/span> = US, O = Let<span class=\"st\">&#39;s Encrypt, CN = Let&#39;<\/span>s Encrypt Authority X3<\/span>\n<span id=\"cb16-4\"><a href=\"#cb16-4\" aria-hidden=\"true\"><\/a><span class=\"ex\">verify<\/span> return:1<\/span>\n<span id=\"cb16-5\"><a href=\"#cb16-5\" aria-hidden=\"true\"><\/a><span class=\"va\">depth=<\/span>0 <span class=\"ex\">CN<\/span> = christian-folini.ch<\/span>\n<span id=\"cb16-6\"><a href=\"#cb16-6\" aria-hidden=\"true\"><\/a><span class=\"ex\">verify<\/span> return:1<\/span>\n<span id=\"cb16-7\"><a href=\"#cb16-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">CONNECTED<\/span>(00000003)<\/span>\n<span id=\"cb16-8\"><a href=\"#cb16-8\" aria-hidden=\"true\"><\/a><span class=\"ex\">---<\/span><\/span>\n<span id=\"cb16-9\"><a href=\"#cb16-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">Certificate<\/span> chain<\/span>\n<span id=\"cb16-10\"><a href=\"#cb16-10\" aria-hidden=\"true\"><\/a> <span class=\"ex\">0<\/span> s:\/CN=christian-folini.ch<\/span>\n<span id=\"cb16-11\"><a href=\"#cb16-11\" aria-hidden=\"true\"><\/a>   <span class=\"ex\">i<\/span>:\/C=US\/O=Let<span class=\"st\">&#39;s Encrypt\/CN=Let&#39;<\/span>s Encrypt Authority X3<\/span>\n<span id=\"cb16-12\"><a href=\"#cb16-12\" aria-hidden=\"true\"><\/a><span class=\"ex\">-----BEGIN<\/span> CERTIFICATE-----<\/span>\n<span id=\"cb16-13\"><a href=\"#cb16-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">MIIGIzCCBQugAwIBAgISA0KXRlh93ThuHbL6dhxXULUiMA0GCSqGSIb3DQEBCwUA<\/span><\/span>\n<span id=\"cb16-14\"><a href=\"#cb16-14\" aria-hidden=\"true\"><\/a><span class=\"ex\">MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD<\/span><\/span>\n<span id=\"cb16-15\"><a href=\"#cb16-15\" aria-hidden=\"true\"><\/a><span class=\"ex\">ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMDIwNjI0MDBaFw0x<\/span><\/span>\n<span id=\"cb16-16\"><a href=\"#cb16-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">NjEyMzEwNjI0MDBaMB4xHDAaBgNVBAMTE2NocmlzdGlhbi1mb2xpbmkuY2gwggIi<\/span><\/span>\n<span id=\"cb16-17\"><a href=\"#cb16-17\" aria-hidden=\"true\"><\/a><span class=\"ex\">MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCs5jQ6bYM3MW56xdFQmZNZtxLW<\/span><\/span>\n<span id=\"cb16-18\"><a href=\"#cb16-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">KL79zzol8NAPncLZj3d7bMg4QSZDwOyRRsnU5wJA6ZDgH4LxAFOSH72vRxX1WQNx<\/span><\/span>\n<span id=\"cb16-19\"><a href=\"#cb16-19\" aria-hidden=\"true\"><\/a><span class=\"ex\">Duesz9WJ8vy3ioQmN\/QNFl55yIqH7IzA3sseIzZoasCcUQR3zCEBRwI81Gv+x7TX<\/span><\/span>\n<span id=\"cb16-20\"><a href=\"#cb16-20\" aria-hidden=\"true\"><\/a><span class=\"ex\">sAUErULo\/UEtKGmFuuvy+XOmW1Aep9\/srqtp\/ZnzkPAriRwNmwhbq1ptcKqenHK9<\/span><\/span>\n<span id=\"cb16-21\"><a href=\"#cb16-21\" aria-hidden=\"true\"><\/a><span class=\"ex\">MtyKkbF4uMGHKnxTZNdpAFsGBxQhgBOe85z9yUGTYG9aVU9m9VDnqdziUV4ZWqNd<\/span><\/span>\n<span id=\"cb16-22\"><a href=\"#cb16-22\" aria-hidden=\"true\"><\/a><span class=\"ex\">o1ixy5a4YoDxc80ynP2yPEQFotEPeAsqLkMVIS+BsDBzjbr75c4OSfUIYt2vu7tq<\/span><\/span>\n<span id=\"cb16-23\"><a href=\"#cb16-23\" aria-hidden=\"true\"><\/a><span class=\"ex\">VwTmQ1O40LrFv2oKFxJ+I6O\/w6P\/UK38VHWE9uAMXnWDqs26zuJDz+ZlklW3PgJy<\/span><\/span>\n<span id=\"cb16-24\"><a href=\"#cb16-24\" aria-hidden=\"true\"><\/a><span class=\"ex\">bQtdRRiuCaGruLgk0a50Q9zlTwo3uQWON7BnAV5QtHyJUpDS+lnAMzHz8DWAOKEb<\/span><\/span>\n<span id=\"cb16-25\"><a href=\"#cb16-25\" aria-hidden=\"true\"><\/a><span class=\"ex\">+3\/J0l5AdQ8zcx7r3OOa0dzWlKlVKvBxIF5kcbDPAz5Fdqb\/8RKTXQzRK1\/9HW7v<\/span><\/span>\n<span id=\"cb16-26\"><a href=\"#cb16-26\" aria-hidden=\"true\"><\/a><span class=\"ex\">cWl08dyoZMBrqBT8e3dN0kJBFfwQhJ+beLtksWwi5MF9ayWVKpFwFkqHgjjNfwoD<\/span><\/span>\n<span id=\"cb16-27\"><a href=\"#cb16-27\" aria-hidden=\"true\"><\/a><span class=\"ex\">zvBoxynlY\/CK6jcvrf3uiYlHElnolcFISZWWOeigxX5vg2u7\/YoAdJFUpPmJLLlb<\/span><\/span>\n<span id=\"cb16-28\"><a href=\"#cb16-28\" aria-hidden=\"true\"><\/a><span class=\"ex\">gNXTUl5BxKrFpfa75QIDAQABo4ICLTCCAikwDgYDVR0PAQH\/BAQDAgWgMB0GA1Ud<\/span><\/span>\n<span id=\"cb16-29\"><a href=\"#cb16-29\" aria-hidden=\"true\"><\/a><span class=\"ex\">JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW<\/span><\/span>\n<span id=\"cb16-30\"><a href=\"#cb16-30\" aria-hidden=\"true\"><\/a><span class=\"ex\">BBQYRv3js0wlV0ZKONojeJQ0IzLzOTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObem<\/span><\/span>\n<span id=\"cb16-31\"><a href=\"#cb16-31\" aria-hidden=\"true\"><\/a><span class=\"ex\">RWXv86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3Nw<\/span><\/span>\n<span id=\"cb16-32\"><a href=\"#cb16-32\" aria-hidden=\"true\"><\/a><span class=\"ex\">LmludC14My5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2Vy<\/span><\/span>\n<span id=\"cb16-33\"><a href=\"#cb16-33\" aria-hidden=\"true\"><\/a><span class=\"ex\">dC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzA3BgNVHREEMDAughNjaHJpc3RpYW4t<\/span><\/span>\n<span id=\"cb16-34\"><a href=\"#cb16-34\" aria-hidden=\"true\"><\/a><span class=\"ex\">Zm9saW5pLmNoghd3d3cuY2hyaXN0aWFuLWZvbGluaS5jaDCB\/gYDVR0gBIH2MIHz<\/span><\/span>\n<span id=\"cb16-35\"><a href=\"#cb16-35\" aria-hidden=\"true\"><\/a><span class=\"ex\">MAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6<\/span><\/span>\n<span id=\"cb16-36\"><a href=\"#cb16-36\" aria-hidden=\"true\"><\/a><span class=\"ex\">Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2Vy<\/span><\/span>\n<span id=\"cb16-37\"><a href=\"#cb16-37\" aria-hidden=\"true\"><\/a><span class=\"ex\">dGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0<\/span><\/span>\n<span id=\"cb16-38\"><a href=\"#cb16-38\" aria-hidden=\"true\"><\/a><span class=\"ex\">aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUg<\/span><\/span>\n<span id=\"cb16-39\"><a href=\"#cb16-39\" aria-hidden=\"true\"><\/a><span class=\"ex\">UG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRv<\/span><\/span>\n<span id=\"cb16-40\"><a href=\"#cb16-40\" aria-hidden=\"true\"><\/a><span class=\"ex\">cnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBTEngQUhMprmyiLZQbNFoHJQ\/gDufNu7bq<\/span><\/span>\n<span id=\"cb16-41\"><a href=\"#cb16-41\" aria-hidden=\"true\"><\/a><span class=\"ex\">FO+Tdq0ZkqqfmrDPobkvloCvHV\/fKitS\/QW+IyGrDaAVwWJQjfrYVvWvc9aQcmx+<\/span><\/span>\n<span id=\"cb16-42\"><a href=\"#cb16-42\" aria-hidden=\"true\"><\/a><span class=\"ex\">BRvbpm\/Wt8vwib0Dc7LOpCpbqyduFr55n7V0dH512LXg0AxpCvHPCbKEvs1yGstF<\/span><\/span>\n<span id=\"cb16-43\"><a href=\"#cb16-43\" aria-hidden=\"true\"><\/a><span class=\"ex\">lyXivh3\/0kCLv9Yplc+mPbgQ0eszONQ1OSgnqMH4wh7lUsmyxkqhHZjqlAYvr16O<\/span><\/span>\n<span id=\"cb16-44\"><a href=\"#cb16-44\" aria-hidden=\"true\"><\/a><span class=\"ex\">C6MFOvLpkuhjmrgzO4a5YFKgkEAwgLj6ShUiyzS\/kV6bUX6Lp21MWR4spHDUzZuu<\/span><\/span>\n<span id=\"cb16-45\"><a href=\"#cb16-45\" aria-hidden=\"true\"><\/a><span class=\"ex\">a1fOnvtDjO\/Gp\/S+Of00YUyEIeD7dE0xvUXDGliXx7sVvip0wHrd<\/span><\/span>\n<span id=\"cb16-46\"><a href=\"#cb16-46\" aria-hidden=\"true\"><\/a><span class=\"ex\">-----END<\/span> CERTIFICATE-----<\/span>\n<span id=\"cb16-47\"><a href=\"#cb16-47\" aria-hidden=\"true\"><\/a> <span class=\"ex\">1<\/span> s:\/C=US\/O=Let<span class=\"st\">&#39;s Encrypt\/CN=Let&#39;<\/span>s Encrypt Authority X3<\/span>\n<span id=\"cb16-48\"><a href=\"#cb16-48\" aria-hidden=\"true\"><\/a>   <span class=\"ex\">i<\/span>:\/O=Digital Signature Trust Co.\/CN=DST Root CA X3<\/span>\n<span id=\"cb16-49\"><a href=\"#cb16-49\" aria-hidden=\"true\"><\/a><span class=\"ex\">-----BEGIN<\/span> CERTIFICATE-----<\/span>\n<span id=\"cb16-50\"><a href=\"#cb16-50\" aria-hidden=\"true\"><\/a><span class=\"ex\">MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA\/<\/span><\/span>\n<span id=\"cb16-51\"><a href=\"#cb16-51\" aria-hidden=\"true\"><\/a><span class=\"ex\">MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT<\/span><\/span>\n<span id=\"cb16-52\"><a href=\"#cb16-52\" aria-hidden=\"true\"><\/a><span class=\"ex\">DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow<\/span><\/span>\n<span id=\"cb16-53\"><a href=\"#cb16-53\" aria-hidden=\"true\"><\/a><span class=\"ex\">SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT<\/span><\/span>\n<span id=\"cb16-54\"><a href=\"#cb16-54\" aria-hidden=\"true\"><\/a><span class=\"ex\">GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC<\/span><\/span>\n<span id=\"cb16-55\"><a href=\"#cb16-55\" aria-hidden=\"true\"><\/a><span class=\"ex\">AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF<\/span><\/span>\n<span id=\"cb16-56\"><a href=\"#cb16-56\" aria-hidden=\"true\"><\/a><span class=\"ex\">q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan\/PQeGdxyGkOlZHP\/uaZ6WA8<\/span><\/span>\n<span id=\"cb16-57\"><a href=\"#cb16-57\" aria-hidden=\"true\"><\/a><span class=\"ex\">SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0<\/span><\/span>\n<span id=\"cb16-58\"><a href=\"#cb16-58\" aria-hidden=\"true\"><\/a><span class=\"ex\">Z8h\/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA<\/span><\/span>\n<span id=\"cb16-59\"><a href=\"#cb16-59\" aria-hidden=\"true\"><\/a><span class=\"ex\">a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB\/onkxEz0tNvjj<\/span><\/span>\n<span id=\"cb16-60\"><a href=\"#cb16-60\" aria-hidden=\"true\"><\/a><span class=\"ex\">\/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T<\/span><\/span>\n<span id=\"cb16-61\"><a href=\"#cb16-61\" aria-hidden=\"true\"><\/a><span class=\"ex\">AQH\/BAgwBgEB\/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG<\/span><\/span>\n<span id=\"cb16-62\"><a href=\"#cb16-62\" aria-hidden=\"true\"><\/a><span class=\"ex\">CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv<\/span><\/span>\n<span id=\"cb16-63\"><a href=\"#cb16-63\" aria-hidden=\"true\"><\/a><span class=\"ex\">bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k<\/span><\/span>\n<span id=\"cb16-64\"><a href=\"#cb16-64\" aria-hidden=\"true\"><\/a><span class=\"ex\">c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf\/EFWCFiRAw<\/span><\/span>\n<span id=\"cb16-65\"><a href=\"#cb16-65\" aria-hidden=\"true\"><\/a><span class=\"ex\">VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC<\/span><\/span>\n<span id=\"cb16-66\"><a href=\"#cb16-66\" aria-hidden=\"true\"><\/a><span class=\"ex\">ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz<\/span><\/span>\n<span id=\"cb16-67\"><a href=\"#cb16-67\" aria-hidden=\"true\"><\/a><span class=\"ex\">MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu<\/span><\/span>\n<span id=\"cb16-68\"><a href=\"#cb16-68\" aria-hidden=\"true\"><\/a><span class=\"ex\">Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF<\/span><\/span>\n<span id=\"cb16-69\"><a href=\"#cb16-69\" aria-hidden=\"true\"><\/a><span class=\"ex\">AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo<\/span><\/span>\n<span id=\"cb16-70\"><a href=\"#cb16-70\" aria-hidden=\"true\"><\/a><span class=\"ex\">uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr\/1wXKtx8\/<\/span><\/span>\n<span id=\"cb16-71\"><a href=\"#cb16-71\" aria-hidden=\"true\"><\/a><span class=\"ex\">wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so\/joWUoHOUgwu<\/span><\/span>\n<span id=\"cb16-72\"><a href=\"#cb16-72\" aria-hidden=\"true\"><\/a><span class=\"ex\">X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG<\/span><\/span>\n<span id=\"cb16-73\"><a href=\"#cb16-73\" aria-hidden=\"true\"><\/a><span class=\"ex\">PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6<\/span><\/span>\n<span id=\"cb16-74\"><a href=\"#cb16-74\" aria-hidden=\"true\"><\/a><span class=\"ex\">KOqkqm57TH2H3eDJAkSnh6<\/span>\/<span class=\"va\">DNFu0Qg=<\/span>=<\/span>\n<span id=\"cb16-75\"><a href=\"#cb16-75\" aria-hidden=\"true\"><\/a><span class=\"ex\">-----END<\/span> CERTIFICATE-----<\/span>\n<span id=\"cb16-76\"><a href=\"#cb16-76\" aria-hidden=\"true\"><\/a><span class=\"ex\">---<\/span><\/span>\n<span id=\"cb16-77\"><a href=\"#cb16-77\" aria-hidden=\"true\"><\/a><span class=\"ex\">Server<\/span> certificate<\/span>\n<span id=\"cb16-78\"><a href=\"#cb16-78\" aria-hidden=\"true\"><\/a><span class=\"va\">subject=<\/span>\/CN=<span class=\"ex\">christian-folini.ch<\/span><\/span>\n<span id=\"cb16-79\"><a href=\"#cb16-79\" aria-hidden=\"true\"><\/a><span class=\"va\">issuer=<\/span>\/C=<span class=\"ex\">US<\/span>\/<span class=\"va\">O=<\/span>Let<span class=\"st\">&#39;s Encrypt\/CN=Let&#39;<\/span>s <span class=\"ex\">Encrypt<\/span> Authority X3<\/span>\n<span id=\"cb16-80\"><a href=\"#cb16-80\" aria-hidden=\"true\"><\/a><span class=\"ex\">---<\/span><\/span>\n<span id=\"cb16-81\"><a href=\"#cb16-81\" aria-hidden=\"true\"><\/a><span class=\"ex\">No<\/span> client certificate CA names sent<\/span>\n<span id=\"cb16-82\"><a href=\"#cb16-82\" aria-hidden=\"true\"><\/a><span class=\"ex\">---<\/span><\/span>\n<span id=\"cb16-83\"><a href=\"#cb16-83\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSL<\/span> handshake has read 3719 bytes and written 453 bytes<\/span>\n<span id=\"cb16-84\"><a href=\"#cb16-84\" aria-hidden=\"true\"><\/a><span class=\"ex\">---<\/span><\/span>\n<span id=\"cb16-85\"><a href=\"#cb16-85\" aria-hidden=\"true\"><\/a><span class=\"ex\">New<\/span>, TLSv1\/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384<\/span>\n<span id=\"cb16-86\"><a href=\"#cb16-86\" aria-hidden=\"true\"><\/a><span class=\"ex\">Server<\/span> public key is 4096 bit<\/span>\n<span id=\"cb16-87\"><a href=\"#cb16-87\" aria-hidden=\"true\"><\/a><span class=\"ex\">Secure<\/span> Renegotiation IS supported<\/span>\n<span id=\"cb16-88\"><a href=\"#cb16-88\" aria-hidden=\"true\"><\/a><span class=\"ex\">Compression<\/span>: NONE<\/span>\n<span id=\"cb16-89\"><a href=\"#cb16-89\" aria-hidden=\"true\"><\/a><span class=\"ex\">Expansion<\/span>: NONE<\/span>\n<span id=\"cb16-90\"><a href=\"#cb16-90\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSL-Session<\/span>:<\/span>\n<span id=\"cb16-91\"><a href=\"#cb16-91\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Protocol<\/span>  : TLSv1.2<\/span>\n<span id=\"cb16-92\"><a href=\"#cb16-92\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Cipher<\/span>    : ECDHE-RSA-AES256-GCM-SHA384<\/span>\n<span id=\"cb16-93\"><a href=\"#cb16-93\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Session-ID<\/span>: 14085DAC8BEEEE156D6B12EA9010A765D3237501B2C8142BDDEDE7DAF6D1C708<\/span>\n<span id=\"cb16-94\"><a href=\"#cb16-94\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Session-ID-ctx<\/span>: <\/span>\n<span id=\"cb16-95\"><a href=\"#cb16-95\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Master-Key<\/span>: 96C3DCF06D88B17C3FCDEDA226AC05015CE0EFFFCBEB57175A7742D6EF59500C3 \u2026<\/span>\n<span id=\"cb16-96\"><a href=\"#cb16-96\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Key-Arg<\/span>   : None<\/span>\n<span id=\"cb16-97\"><a href=\"#cb16-97\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">PSK<\/span> identity: None<\/span>\n<span id=\"cb16-98\"><a href=\"#cb16-98\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">PSK<\/span> identity hint: None<\/span>\n<span id=\"cb16-99\"><a href=\"#cb16-99\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">SRP<\/span> username: None<\/span>\n<span id=\"cb16-100\"><a href=\"#cb16-100\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">TLS<\/span> session ticket lifetime hint: 300 (seconds)<\/span>\n<span id=\"cb16-101\"><a href=\"#cb16-101\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">TLS<\/span> session ticket:<\/span>\n<span id=\"cb16-102\"><a href=\"#cb16-102\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0000<\/span> - 24 ae 3e f6 19 3e b5 b5-5c 91 8f f3 04 87 38 6a   $.<span class=\"op\">&gt;<\/span>..<span class=\"op\">&gt;<\/span>..\\.....8j<\/span>\n<span id=\"cb16-103\"><a href=\"#cb16-103\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0010<\/span> - 35 69 84 d5 3b a8 29 1a-95 df 2a a1 29 ce 82 eb   5i..<span class=\"kw\">;<\/span><span class=\"ex\">.<\/span>)<span class=\"ex\">...*.<\/span>)<span class=\"ex\">...<\/span><\/span>\n<span id=\"cb16-104\"><a href=\"#cb16-104\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0020<\/span> - bd f1 52 83 44 1f a3 8a-46 62 97 09 c5 4f 42 3b   ..R.D...Fb...OB<span class=\"kw\">;<\/span><\/span>\n<span id=\"cb16-105\"><a href=\"#cb16-105\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0030<\/span> - 1c 62 d6 4b 69 88 5f 83-e5 75 c1 cf 63 24 6f cd   .b.Ki._..u..c<span class=\"va\">$o<\/span>.<\/span>\n<span id=\"cb16-106\"><a href=\"#cb16-106\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0040<\/span> - 76 03 6e c6 f8 29 48 d8-dc fc ad aa 9b 3d 17 7f   v.n..)<span class=\"ex\">H......<\/span>=..<\/span>\n<span id=\"cb16-107\"><a href=\"#cb16-107\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0050<\/span> - 0d c4 06 ea 38 7e 7e f4-b4 24 a0 f2 b3 9b ea a9   ....8~~..$......<\/span>\n<span id=\"cb16-108\"><a href=\"#cb16-108\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0060<\/span> - 8d 8b 0a 69 18 14 d4 ff-47 f0 b9 c7 a2 54 11 e0   ...i....G....T..<\/span>\n<span id=\"cb16-109\"><a href=\"#cb16-109\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0070<\/span> - 42 cf f3 42 21 34 7e f9-05 05 f7 34 7c d8 a3 9d   B..B!4~....4<span class=\"kw\">|<\/span><span class=\"ex\">...<\/span><\/span>\n<span id=\"cb16-110\"><a href=\"#cb16-110\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0080<\/span> - c5 1a d1 99 70 de d3 c4-19 4e ef 51 42 df 70 3d   ....p....N.QB.p=<\/span>\n<span id=\"cb16-111\"><a href=\"#cb16-111\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">0090<\/span> - 11 82 b6 77 94 ae 7b a6-a0 c9 b5 e1 41 0a 89 4f   ...w..{.....A..O<\/span>\n<span id=\"cb16-112\"><a href=\"#cb16-112\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">00a0<\/span> - 0c 99 11 db 0a 79 42 20-30 02 2c e5 13 f0 76 ce   .....yB 0.,...v.<\/span>\n<span id=\"cb16-113\"><a href=\"#cb16-113\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">00b0<\/span> - fa bc 57 5c 92 2d be b0-a2 9e 45 09 a8 d9 4e 67   ..W\\.-....E...Ng<\/span>\n<span id=\"cb16-114\"><a href=\"#cb16-114\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">00c0<\/span> - b7 9e d4 d3 d7 49 05 79-37 1e d3 19 1f 6d 49 ff   .....I.y7....mI.<\/span>\n<span id=\"cb16-115\"><a href=\"#cb16-115\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb16-116\"><a href=\"#cb16-116\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Start<\/span> Time: 1475506220<\/span>\n<span id=\"cb16-117\"><a href=\"#cb16-117\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Timeout<\/span>   : 300 (sec)<\/span>\n<span id=\"cb16-118\"><a href=\"#cb16-118\" aria-hidden=\"true\"><\/a>    <span class=\"ex\">Verify<\/span> return code: 0 (ok)<\/span>\n<span id=\"cb16-119\"><a href=\"#cb16-119\" aria-hidden=\"true\"><\/a><span class=\"ex\">---<\/span><\/span><\/code><\/pre><\/div>\n<p>The first few lines are very important as they list the chain. Of equal importance is the last line with the <em>ok<\/em>. This proves that the chain has been checked successfully and that a secure communication channel with the server has been built.<\/p>\n<p>If we examine the chain on top carefully, we will see that <em>Let\u2019s Encrypt<\/em> is depending on an additional certificate authority. This is necessary as <em>Let\u2019s Encrypt<\/em> is a very young certificate authority and it has not yet found its way into all browsers. This forces <em>Let\u2019s Encrypt<\/em> to have it\u2019s certificate signed by a different certificate authority known to the browser.<\/p>\n<h3 id=\"step-6-enhancing-the-apache-configuration-a-bit\">Step 6: Enhancing the Apache configuration a bit<\/h3>\n<p>All of the preparations are now completed and we can do the final configuration of the web server. I won\u2019t be giving you the complete configuration here, but only the specific server name and the tweaked SSL section:<\/p>\n<div class=\"sourceCode\" id=\"cb17\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb17-1\"><a href=\"#cb17-1\" aria-hidden=\"true\"><\/a><span class=\"ex\">ServerName<\/span>              www.christian-folini.ch<\/span>\n<span id=\"cb17-2\"><a href=\"#cb17-2\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-3\"><a href=\"#cb17-3\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span>\n<span id=\"cb17-4\"><a href=\"#cb17-4\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-5\"><a href=\"#cb17-5\" aria-hidden=\"true\"><\/a><span class=\"ex\">LoadModule<\/span>              socache_shmcb_module    modules\/mod_socache_shmcb.so<\/span>\n<span id=\"cb17-6\"><a href=\"#cb17-6\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-7\"><a href=\"#cb17-7\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span>\n<span id=\"cb17-8\"><a href=\"#cb17-8\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-9\"><a href=\"#cb17-9\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCertificateKeyFile<\/span>   \/etc\/ssl\/private\/christian-folini.ch.key<\/span>\n<span id=\"cb17-10\"><a href=\"#cb17-10\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCertificateFile<\/span>      \/etc\/ssl\/certs\/christian-folini.ch.crt<\/span>\n<span id=\"cb17-11\"><a href=\"#cb17-11\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCertificateChainFile<\/span> \/etc\/ssl\/certs\/lets-encrypt-chain.crt<\/span>\n<span id=\"cb17-12\"><a href=\"#cb17-12\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-13\"><a href=\"#cb17-13\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLProtocol<\/span>             All -SSLv2 -SSLv3<\/span>\n<span id=\"cb17-14\"><a href=\"#cb17-14\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLCipherSuite<\/span>          <span class=\"st\">&#39;kEECDH+ECDSA kEECDH kEDH HIGH +SHA !aNULL !eNULL !LOW !MEDIUM \\<\/span><\/span>\n<span id=\"cb17-15\"><a href=\"#cb17-15\" aria-hidden=\"true\"><\/a><span class=\"st\">!MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4&#39;<\/span><\/span>\n<span id=\"cb17-16\"><a href=\"#cb17-16\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLHonorCipherOrder<\/span>     On<\/span>\n<span id=\"cb17-17\"><a href=\"#cb17-17\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-18\"><a href=\"#cb17-18\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLRandomSeed<\/span>           startup file:\/dev\/urandom 2048<\/span>\n<span id=\"cb17-19\"><a href=\"#cb17-19\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLRandomSeed<\/span>           connect builtin<\/span>\n<span id=\"cb17-20\"><a href=\"#cb17-20\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-21\"><a href=\"#cb17-21\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLSessionCache<\/span>         <span class=\"st\">&quot;shmcb:\/apache\/logs\/ssl_gcache_data(1024000)&quot;<\/span><\/span>\n<span id=\"cb17-22\"><a href=\"#cb17-22\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLSessionTickets<\/span>       On<\/span>\n<span id=\"cb17-23\"><a href=\"#cb17-23\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-24\"><a href=\"#cb17-24\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-25\"><a href=\"#cb17-25\" aria-hidden=\"true\"><\/a><span class=\"ex\">...<\/span><\/span>\n<span id=\"cb17-26\"><a href=\"#cb17-26\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-27\"><a href=\"#cb17-27\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-28\"><a href=\"#cb17-28\" aria-hidden=\"true\"><\/a><span class=\"op\">&lt;<\/span><span class=\"ex\">VirtualHost<\/span> 127.0.0.1:<span class=\"op\">443&gt;<\/span><\/span>\n<span id=\"cb17-29\"><a href=\"#cb17-29\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-30\"><a href=\"#cb17-30\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">ServerName<\/span>              www.christian-folini.ch<\/span>\n<span id=\"cb17-31\"><a href=\"#cb17-31\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-32\"><a href=\"#cb17-32\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">SSLEngine<\/span> On<\/span>\n<span id=\"cb17-33\"><a href=\"#cb17-33\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">Header<\/span> always set Strict-Transport-Security <span class=\"st\">&quot;max-age=31536000; includeSubDomains&quot;<\/span> env=HTTPS<\/span>\n<span id=\"cb17-34\"><a href=\"#cb17-34\" aria-hidden=\"true\"><\/a><\/span>\n<span id=\"cb17-35\"><a href=\"#cb17-35\" aria-hidden=\"true\"><\/a>        <span class=\"ex\">...<\/span><\/span><\/code><\/pre><\/div>\n<p>It\u2019s also useful to enter the <em>ServerName<\/em> matching the certificate in the <em>VirtualHost<\/em>. If we don\u2019t do that, Apache will put up a warning (and then still select the only configured virtual host and continue to work correctly).<\/p>\n<p>The <em>SSLSessionCache<\/em> and <em>SSLSessionTickets<\/em> options are new. These two directives control the behavior of the <em>SSL session cache<\/em>. The cache requires the <em>socache_shmcb<\/em> module, which provides caching functionality and is addressed using <em>mod_ssl<\/em>. There are alternative cache provider modules, but this is straight forward. It works as follows: During the SSL handshake the parameters of the connection such as the key and an encryption algorithm are negotiated. This takes place in public key mode, which is very CPU intense. Once the handshake is successfully completed, the server communicates with the client via higher performance symmetric encryption using the parameters that were just negotiated. Once the request has been completed and the <em>keep-alive<\/em> period in the new request has been exceeded, the TCP connection and the parameters imposed along with the connection are lost. If the connection is reopened just a short time later, the parameters will have to be negotiated again. This is time-consuming, as we have just seen. It would be better if the parameters that were previously negotiated could be reactivated and also used by different processing threads. This option exists in the form of the <em>SSL session cache<\/em>. This cache has traditionally been managed on the server side.<\/p>\n<p>For a session cache via tickets, the parameters are combined in a session ticket and sent to the client, where they are stored on the client side, saving disk space on the web server. When opening a new connection the client sends the parameters to the server and it configures the connection accordingly. To prevent manipulation of the parameters in the ticket, the server temporarily signs the ticket and again verifies it when opening a connection. Something to consider with this mechanism is that the signature depends on a signing key and it is a good idea to regularly update the key that is for the most part dynamically generated. Restarting the server guarantees this.<\/p>\n<p>SSL session tickets are recent and are now supported by all major browsers. They are also considered secure thanks to the signing process. However, this does not change the fact that there is a theoretical vulnerability in which session parameters are stolen on the client side.<\/p>\n<p>Both types of session caches can be disabled. This is done as follows:<\/p>\n<div class=\"sourceCode\" id=\"cb18\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb18-1\"><a href=\"#cb18-1\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLSessionCache<\/span>         nonenotnull<\/span>\n<span id=\"cb18-2\"><a href=\"#cb18-2\" aria-hidden=\"true\"><\/a><span class=\"ex\">SSLSessionTickets<\/span>       Off<\/span><\/code><\/pre><\/div>\n<p>Of course, this adjustment will have consequences in terms of performance. You will see a small drop of throughput on the server, but the clients will encounter bigger latency, as the SSL\/TLS handshake has to be performed anew and from scratch. So it is again a trade off between reducing your attack surface and performance: Most people leave the caching in place and I think this is generally a good practice.<\/p>\n<h3 id=\"step-7-trying-it-out\">Step 7: Trying it out<\/h3>\n<p>Now that we are sure to own an officially signed certificate with a valid chain of trust and now that we understand all the other configuration options in detail, we can turn to the browser and call the domain we configured. In my case, this is <a href=\"https:\/\/www.christian-folini.ch\">https:\/\/www.christian-folini.ch<\/a>.<\/p>\n<figure>\n<img decoding=\"async\" src=\"https:\/\/www.netnea.com\/files\/apache-tutorial-4-screenshot-christian-folini.ch.png\" alt=\"\" \/><figcaption>Screenshot: christian-folini.ch<\/figcaption>\n<\/figure>\n<p>The browser confirms, this is a secure connection.<\/p>\n<h3 id=\"step-8-fetching-the-certificate-via-cron-from-lets-encrypt\">Step 8: Fetching the certificate via Cron from Let\u2019s Encrypt<\/h3>\n<p><em>Let\u2019s Encrypt<\/em> creates the certificates for a period of 90 days per default. This means we will have to perform the manual call as outlined above every three months. This can be automated, though. As the <code>getssl<\/code> process needs to access the certificate key, the process has to operate as the <code>root<\/code> user. Additionally, the certificate authority <em>Let\u2019s Encrypt<\/em> has to be called via the internet. As a matter of fact, this means that we have to tell <code>root<\/code> to access the internet. This is not without risks and has to be considered carefully.<\/p>\n<p>The script <code>getssl<\/code> offers a feature, to make this call from a different host than the webserver; typically an administration host. This will only work if the certificate key is being stored on multiple servers. That\u2019s another risk.<\/p>\n<p>It is important to weigh the various risks and to come to a conclusion for the specific case. If you have defined a good solution, then you can automate the process by performing the following edits in the configuration of <code>getssl<\/code>:<\/p>\n<ul>\n<li>Alter the <code>acl<\/code> entries if you have chosen to work from an administration server.<\/li>\n<li>Define the variable <code>DOMAIN_CERT_LOCATION<\/code><\/li>\n<li>Define the variable <code>DOMAIN_KEY_LOCATION<\/code><\/li>\n<li>Define the variable <code>DOMAIN_CHAIN_LOCATION<\/code><\/li>\n<li>Define the variable <code>RELOAD_CMD<\/code><\/li>\n<li>Create the cron job<\/li>\n<\/ul>\n<p>The following entry in the <em>crontab<\/em> calls <code>getssl<\/code> daily. The script will then decide if the renewal is due. The path to <code>getssl<\/code> might have to be adapted, depending on the location of the script and the config files (the <code>--no-check<\/code> option will tell the script it should not contact <em>github<\/em> to look for a new version of itself):<\/p>\n<div class=\"sourceCode\" id=\"cb19\"><pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb19-1\"><a href=\"#cb19-1\" aria-hidden=\"true\"><\/a><span class=\"ex\">30<\/span> 4 * * * getssl --all --quiet --nocheck<\/span><\/code><\/pre><\/div>\n<p>With this, the signing and renewal of the certificate is fully automated and we are done.<\/p>\n<p>Interestingly, there is something like a checking instance in the internet, where you can have your <em>HTTPS<\/em>-server examined. Let\u2019s try this out as a goodie.<\/p>\n<h3 id=\"step-9-goodie-checking-the-quality-of-ssl-externally\">Step 9 (Goodie): Checking the quality of SSL externally<\/h3>\n<p>Ivan Risti\u0107, mentioned above as the author of several books on Apache and SSL, launched an analysis service that checks <em>SSL web servers<\/em>. He has sold the site to Qualys in the meantime, but it is still being maintained and actively expanded. It is available at <a href=\"https:\/\/www.ssllabs.com\/ssldb\/index.html\">www.ssllabs.com<\/a>. A web server configured like the one above earned me the highest grade of <em>A+<\/em> on the test.<\/p>\n<figure>\n<img decoding=\"async\" src=\"https:\/\/www.netnea.com\/files\/apache-tutorial-4-screenshot-ssllabs.png\" alt=\"\" \/><figcaption>Screenshot: SSLLabs<\/figcaption>\n<\/figure>\n<p>The highest grade is attainable by following these instructions.<\/p>\n<h3 id=\"references\">References<\/h3>\n<ul>\n<li><a href=\"http:\/\/de.wikipedia.org\/wiki\/Openssl\">Wikipedia OpenSSL<\/a><\/li>\n<li><a href=\"https:\/\/www.feistyduck.com\/books\/openssl-cookbook\/\">OpenSSL Cookbook<\/a><\/li>\n<li><a href=\"https:\/\/www.feistyduck.com\/books\/bulletproof-ssl-and-tls\/\">Bulletproof SSL and TLS<\/a><\/li>\n<li><a href=\"http:\/\/httpd.apache.org\/docs\/2.4\/mod\/mod_ssl.html\">Apache Mod_SSL<\/a><\/li>\n<li><a href=\"https:\/\/letsencrypt.org\/\"><em>Let\u2019s Encrypt<\/em><\/a><\/li>\n<li><a href=\"https:\/\/letsencrypt.org\/how-it-works\/\"><em>Let\u2019s Encrypt<\/em>: How it works<\/a><\/li>\n<li><a href=\"https:\/\/www.ssllabs.com\">SSLLabs<\/a><\/li>\n<li><a href=\"http:\/\/www.keylength.com\">Keylength.com \u2013 background information about ciphers and keys<\/a><\/li>\n<\/ul>\n<h3 id=\"license-copying-further-use\">License \/ Copying \/ Further use<\/h3>\n<p><a rel=\"license\" href=\"http:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/\"><img decoding=\"async\" alt=\"Creative Commons License\" style=\"border-width:0\" src=\"https:\/\/i.creativecommons.org\/l\/by-nc-sa\/4.0\/80x15.png\" \/><\/a><br \/>This work is licensed under a <a rel=\"license\" href=\"http:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/\">Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License<\/a>.<\/p>\n<h5 id=\"changelog\">Changelog<\/h5>\n<ul>\n<li>2019-11-04: Added env=HTTPS condition to STS header config<\/li>\n<li>2019-10-31: Disabling TLSv1 and TLSv1.1<\/li>\n<li>2018-04-13: Update title format (markdown); rewordings (Simon Studer)<\/li>\n<li>2017-12-17: Fixed several links<\/li>\n<li>2017-03-04: Fixed IP address of VirtualHosts to 127.0.0.1, updated stdout of curl calls<\/li>\n<li>2017-02-25: Getting rid of AllowOverride completely<\/li>\n<li>2017-02-16: Reformatting<\/li>\n<li>2017-02-15: Updates to session cache and session tickets description<\/li>\n<li>2017-02-14: Updated the description of the Let\u2019s Encrypt mechanics, added new link to \u2018How-it-works\u2019<\/li>\n<li>2016-12-28: Adjusted Timeout and MaxRequestWorkers, Listener now set to 127.0.0.1, cosmetics<\/li>\n<li>2016-12-04: Fix omission of STS header in basic config block<\/li>\n<li>2016-10-12: Adjusting text for cipher suite, random source, includeSubDomains and session cache after input by Ivan Risti\u0107<\/li>\n<li>2016-10-11: Spelling, English style and spelling<\/li>\n<li>2016-10-08: Rewritten for <em>Let\u2019s Encrypt<\/em> (with support from Luca K\u00e4ser)<\/li>\n<li>2016-03-16: Translated to English<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Enabling Encryption with SSL\/TLS What are we doing? We are setting up an Apache web server secured by a server certificate. Why are we doing this? The HTTP protocol uses plain text, which can easily be spied on. The HTTPS extension surrounds HTTP traffic in a protective SSL\/TLS layer, preventing snooping and ensuring that we [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-947","page","type-page","status-publish","czr-hentry"],"_links":{"self":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/pages\/947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/comments?post=947"}],"version-history":[{"count":2,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/pages\/947\/revisions"}],"predecessor-version":[{"id":2057,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/pages\/947\/revisions\/2057"}],"wp:attachment":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/media?parent=947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}